November 23, 2023 at 03:29AM
Akamai has discovered two zero-day vulnerabilities that are being exploited to distribute the Mirai malware and create botnets for DDoS attacks. The vulnerabilities target routers and network video recorders from two vendors, and the devices’ default passwords are being used. Akamai’s Security Intelligence Response Team has not disclosed the affected brands or devices but expects patches to be released in December. In the meantime, organizations should check their routers and records to ensure they are not using default passwords and can also refer to Akamai’s published rules for potential infection detection.
From the meeting notes, we have learned the following information:
– Akamai has discovered two zero-day bugs that allow remote code execution. These bugs are being exploited to spread the Mirai malware and create a botnet army for DDoS attacks.
– The perpetrators of the campaign are unknown, but it is known that the zero-days target routers and network video recorders from two vendors and use default passwords.
– Akamai’s Security Intelligence Response Team (SIRT) has not named the affected brands or devices, but patches for vulnerable products are expected to be released in December.
– In the meantime, organizations can protect themselves by checking their routers and video recorders to ensure they are not using default passwords.
– Akamai has published Snort and YARA rules that organizations can use to detect potential infections in their environments.
– The affected devices include a specific model of a network video recorder from a camera vendor, as well as an “outlet-based wireless LAN router” from a Japanese vendor.
– While the exploit has been confirmed in one of the manufacturer’s routers, it is unclear if only one model is affected, as the exploited feature is a common one and code reuse across product offerings is possible.
– The new Mirai variant, named InfectedSlurs, primarily uses older JenX Mirai code but also includes samples linked to the hailBot Mirai variant.
– Akamai’s researchers discovered references to the C2 infrastructure of the InfectedSlurs campaign in a now-deleted Telegram account and a DDoS marketplace channel called DStatCC.
– The same C2 infrastructure was also observed targeting a Russian news site with a DDoS attack in May, based on an August post on PasteBin.
Please let me know if you need any further assistance or clarification.