A New Variant of Mirai Botnet is Exploiting Four Device Vulnerabilities
Internet security experts are warning about a new variant of the Mirai botnet that is being used to add popular Linux-based servers and Internet of Things (IoT) devices to botnets that can conduct network-based attacks such as distributed denial of service (DDoS) attacks. A team at Palo Alto Networks observed the variant, dubbed IZ1H9, being used in an April 10 attack that leveraged four device vulnerabilities: two command injection vulnerabilities affecting Tenda G103 devices and LB-Link devices, and two remote code execution (RCE) flaws affecting DCN DCBI-Netlog-LAB and Zyxel devices. Although the primary purpose of IZ1H9 may be DDoS attacks, the exploits could lead to RCE and enable attackers to completely take over vulnerable devices, becoming persistent threats and even enabling attacks on the enterprise’s own networks without its knowledge.
The Modus Operandi of IZ1H9
The malware appears to be the work of one threat actor or group using identical malware shell script downloaders in several attacks. In the April 10 attack, attackers attempted to download a shell script downloader from a specific IP address. If executed, the shell script downloader would delete logs to hide its tracks, deploy and execute various bot clients to match different Linux architectures, and then block network connections from SSH, telnet, and HTTP ports by modifying the device’s iptable rules, making it impossible to remotely recover the compromised device.
IZ1H9 also checks the network portion of the infected device’s IP address to avoid executing on specific IP blocks, including government networks, Internet providers, and large tech companies, which suggests that the botmasters want to avoid detection so they can continue their operations long term.
How to Mitigate the Threat of Botnets
Mirai has spawned numerous variants since its source code was leaked in 2016, including one that can exploit up to 30 vulnerabilities in various devices. Experts recommend that vulnerable devices should be updated with the latest software versions and available patches applied. Organizations can also secure their networks with advanced firewall and threat protection that uses machine learning to detect vulnerability exploits in real-time.
Advanced URL filtering and DNS security can block command-and-control domains and malware-hosting URLs, and public-facing devices should not leave ports 80 (HTTP), 22 (SSH), and 23 (TELNET) accessible. Victims are directly contributing to the botnet problem when they leave these ports accessible.
The Need for Better Security Standards for IoT Devices
One major issue with remedying these scenarios is that IoT device manufacturers often leave ports open in devices as shipped, and this is considered utter negligence by industry experts. Stephen Gates, a principal security subject matter expert at security firm Horizon3.ai, believes that there should be an international governing body. This would hold IoT manufacturers responsible for their devices being botnet-infected and used to attack others. He suggests that some type of penalty is the only way to persuade manufacturers to prioritize security when making and selling these devices.
<< photo by Adi Goldstein >>
You might want to read !
- “Chrome 114: How Google Continues to Prioritize Security With 18 Patches”
- Protecting Critical Infrastructure: How Choke Points Can Improve Security
- Backdoor Feature Found in Hundreds of Gigabyte Motherboards, Warns Cybersecurity Experts
- The Alarming Rise of Cybercrime Enabled by CAPTCHA-Breaking Services with Human Solvers
- Exploring the Rise of AceCryptor: A New Title to Cybersecurity Threats.
- How Phishers are Using .ZIP Domains to Lure in Victims.
- “Gigabyte Devices at Risk: Examining Critical Firmware Vulnerability Affecting 7 Million Systems”
