Mirai-based Botnet Exploiting Zero-Day Bugs in Routers and NVRs for Massive DDoS Attacks

Mirai-based Botnet Exploiting Zero-Day Bugs in Routers and NVRs for Massive DDoS Attacks

November 23, 2023 at 05:54AM

An active malware campaign is using two zero-day vulnerabilities to create a Mirai-based DDoS botnet by targeting routers and network video recorders. Akamai has discovered the attacks and identified the malware variants involved. The flaws are being kept under wraps to allow vendors to patch them. The attacks utilize offensive language and racial slurs in their command-and-control servers. Additionally, a web shell called wso-ng has been found, which conceals its login interface and allows attackers to run commands on servers for data theft and other malicious activities.

Summary of Meeting Notes:

– An active malware campaign is exploiting two zero-day vulnerabilities with remote code execution (RCE) capabilities to create a DDoS botnet using compromised routers and video recorders.
– The malware targets devices with default admin credentials and installs variants of the Mirai malware.
– Details of the vulnerabilities are being kept confidential to allow vendors to release patches before other threat actors can exploit them. Updates are expected to be released next month.
– The attacks were discovered by Akamai against their honeypots in late October 2023, but the perpetrators have not yet been identified.
– The botnet involved in the attacks is called InfectedSlurs and is a variant of the JenX Mirai malware identified in January 2018.
– Akamai has also discovered malware samples related to the hailBot Mirai variant, which emerged in September 2023.
– Akamai revealed a web shell called wso-ng, an advanced version of WSO, that conceals its login interface behind a 404 error page and has reconnaissance capabilities for lateral movement and unauthorized access to sensitive data.
– Web shells allow attackers to run commands on servers and can be used for various malicious activities.
– Off-the-shelf web shells are becoming popular among attackers as they make attribution difficult and help in evading detection.
– Attackers also frequently use compromised legitimate domains for their command-and-control servers and malware distribution.
– Infoblox disclosed an attack in August 2023 involving compromised WordPress websites redirecting visitors to C2 and DDGA domains. The activity was attributed to a threat actor named VexTrio.

Full Article