New security reports indicate the emergence of new Mirai botnets exploiting specific vulnerabilities to target IoT devices.
The attacks are ongoing, trying to download a malicious shell script with further infection outcomes, such as the execution of Mirai variants and brute-force attack components.
New Mirai Variant Leveraging Several Exploits
In February, Palo Alto’s Unit 42 researchers unearthed attacks exploiting a number of vulnerabilities:
VisualDoor (a SonicWall SSL-VPN exploit). https://sensorstechforum.com/sonicwall-zero-day/
CVE-2020-25506 (a D-Link DNS-320 firewall exploit).
CVE-2020-26919 (a Netgear ProSAFE Plus exploit).
Possibly CVE-2019-19356 (a Netis WF2419 wireless router exploit).
Three other IoT vulnerabilities yet to be identified.
Previously, Mirai and its variants have been exploiting other vulnerabilities. One example is the CVE-2020-5902 vulnerability. The initial disclosure of the flaw took place in the first week of July 2020, prompting network engineers and security administrators to audit their systems and see if they were vulnerable.
However, the posted advisory allowed computer hackers to gain knowledge about the problem and include the relevant exploit code in the Mirai botnet infiltration module. In addition, the flaw was added to the Shodan Search engine which allowed anyone to scan for vulnerable networks and exposed network hosts.
In March 2019, another Mirai variant was specifically targeting embedded enterprise devices such as presentation system devices, surveillance systems and network storage devices. This development indicated “a potential shift for using Mirai to target enterprises”, according to Palo Alto Networks’ Unit 42’s report.
Zhtrap botnet also detected in the wild
It is noteworthy that Mirai is not the only IoT botnet currently spreading in the wild. Netlab 360 security researchers reported the discovery of a new Mirai-based botnet known as Zhtrap. The botnet uses a honeypot to find new targets, and relies on features taken from the Matryosh DDoS botnet.
What did Netlab 360 security researchers say about Zhtrap?
“ZHtrap’s propagation uses four N-day vulnerabilities, the main function is DDoS and scanning, while integrating some backdoor features. Zhtrap sets up a honeypot on the infected device, [and] takes snapshots for the victim devices, and disables the running of new commands based on the snapshot, thus achieving exclusivity over the device,” the report revealed.