October 10, 2023 at 11:54AM
A variant of the Mirai botnet, known as IZ1H9, has updated its tools with 13 new exploits targeting vulnerabilities in IoT devices from various manufacturers, including D-Link, TP-Link, Zyxel, and others. This variant is highly active in exploiting these vulnerabilities for distributed denial-of-service (DDoS) attacks. Fortinet observed thousands of attack attempts on September 6, with the botnet now carrying approximately 30 exploits. The vulnerabilities include critical-severity flaws that allow remote code execution and arbitrary command execution on affected devices. Despite patches being available, the number of exploit triggers remains alarmingly high.
In the meeting, it was discussed that a variant of the Mirai botnet has recently updated its collection of tools with 13 exploits targeting vulnerabilities in IoT devices. These devices are manufactured by D-Link, TP-Link, Zyxel, and several other companies. This Mirai variant, known as IZ1H9, was first discovered in August 2018 and is considered to be one of the most active botnets. Its purpose is to exploit unpatched vulnerabilities in IoT devices and use them for distributed denial-of-service (DDoS) attacks.
IZ1H9 has recently expanded its arsenal by adding approximately 30 exploits for vulnerabilities in devices from D-Link, Geutebruck, Korenix, Netis, Sunhillo, Totolink, TP-Link, Yealink, and Zyxel. The exploitation of these vulnerabilities reached its peak on September 6, with thousands of attack attempts observed by Fortinet.
Among the newly added exploits, four of them target D-Link vulnerabilities, which are tracked as CVE-2015-1187, CVE-2016-20017, CVE-2020-25506, and CVE-2021-45382. These flaws allow remote attackers to execute arbitrary code on affected devices. Eight other exploits focus on arbitrary command execution bugs in the firmware provided by UDP Technology to Geutebruck and other original equipment manufacturers (OEMs) for their IP cameras.
IZ1H9 also added exploits for other vulnerabilities such as CVE-2023-23295, a command injection flaw in Korenix JetWave routers, CVE-2019-19356, a remote code execution bug in Netis WF2419 wireless routers, and CVE-2021-36380, a critical OS command injection issue in the Sunhillo SureLine application.
Additionally, exploits were added for various command injection vulnerabilities impacting Totolink routers, a recent command injection flaw in TP-Link Archer AX21 routers (CVE-2023-1389), two Yealink Device Management bugs, and an RCE vulnerability in Zyxel EMG3525 and VMG1312 devices. Fortinet also noticed that the malware includes a non-functional payload that apparently targets a Prolink PRC2402M router flaw (CVE-2021-35401).
It is important to note that some of the newly added vulnerabilities, such as CVE-2021-36380 and CVE-2023-23295, have not been previously reported as being exploited in the wild.
The meeting concluded by emphasizing that IoT devices have always been a prime target for threat actors, especially when it comes to remote code execution attacks. The exposure of vulnerable devices poses significant security risks. Despite the availability of patches for these vulnerabilities, the number of exploit attempts remains alarmingly high, often reaching thousands.
For further information, related articles on Mirai variants targeting vulnerabilities in IoT devices, Zyxel firewalls being hacked by Mirai Botnet, and a Mirai Botnet launching a massive DDoS attack against a Minecraft server were mentioned.
Full Article – https://ift.tt/be9fW7N