Another variant of the infamous Mirai botnet is circling the web, exploiting a list of specific vulnerabilities in TOTOLINK routers.
The critical vulnerabilities are relatively new, disclosed in the period between February and March 2022. Affected is the Linux platform. As a result of the vulnerabilities, remote attackers could gain control over the exposed systems, said FortiGuard Labs researchers (Fortinet).
The researchers have dubbed the Mirai-based campaign, observed in the said period, Beastmode, saying that it had aggressively updated the arsenal of exploits by adding the five new vulnerabilities in TOTOLINK routers.
CVE-2022-26210, CVE-2022-25075 to 84, CVE-2022-26186 in TOTOLINK Routers
The vulnerabilities are the following, as disclosed by FortiGuard:
- CVE-2022-26210 targeting TOTOLINK A800R, A810R, A830R, A950RG, A3000RU, and A3100R;
- CVE-2022-26186 targeting TOTOLINK N600R and A7100RU;
- CVE-2022-25075 to CVE-2022-25084 (25076/25077/25078/25079/25080/25081/25082/25083/25084) – a family of similar vulnerabilities targeting TOTOLINK A810R, A830R, A860R, A950RG, A3100R, A3600R, T6, and T10 routers.
“The inclusion of TOTOLINK exploits is especially noteworthy as they were added just a week after the exploit codes were published on GitHub. We previously reported on the MANGA campaign, which similarly adopted exploit code within weeks of their release,” the report said.
Threat actors are quick to adopt newly released exploit code, thus increasing the number of potential victims and devices included in the Beastmode DDoS botnet. Fortunately, the router vendor (TOTOLINK) has already released updated firmware that fixes the issues. Owners of the affected routers are urged to update their firmware as soon as possible.
Other Mirai-based botnets leveraging different exploits include Yowai and Masuta.