Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

IoT Botnets Target Apache Struts, SonicWall GMS

The infamous Mirai and Gafgyt Internet of Things (IoT) botnets are targeting vulnerabilities in Apache Struts and the SonicWall Global Management System (GMS), Palo Alto Networks has discovered.

The infamous Mirai and Gafgyt Internet of Things (IoT) botnets are targeting vulnerabilities in Apache Struts and the SonicWall Global Management System (GMS), Palo Alto Networks has discovered.

The Mirai variant observed in attacks last week packs exploits for 16 vulnerabilities, including one targeting CVE-2017-5638, the Apache Struts vulnerability that led to the Equifax data breach in 2017.

The domain currently hosting the new Mirai samples was resolving to a different IP address in August, and was seen hosting samples of the Gafgyt botnet (aka BASHLITE) that included an exploit for CVE-2018-9866, a flaw in older versions of SonicWall’s Global Management System (GMS).

Another interesting characteristic of the new Mirai samples, Palo Alto Networks’ security researchers say, is that they no longer include the brute-force functionality generally used by the infamous IoT malware.

Ever since its source code was posted online in October 2016, Mirai has been continuously evolving, and the switch towards targeting vulnerabilities rather than brute-forcing credentials has been observed in other botnet samples as well.

Gafgyt’s newly acquired exploit is targeting a vulnerability affecting unsupported versions of SonicWall GMS (8.1 and older), the researchers point out. The first sample to target the flaw emerged on August 5, less than a week after an exploit for it was added to Metasploit.

“The incorporation of exploits targeting Apache Struts and SonicWall by these IoT/Linux botnets could be an indication of a larger movement from consumer device targets to enterprise targets,” Palo Alto Networks notes.

“All organizations should ensure they keep not only their systems up-to-date and patched, but also their IoT devices,” the security firm said.

Capable of launching powerful distributed denial of service (DDoS) attacks, both Mirai and Gafgyt have shown a surge in activity over the past several months. Now capable of infecting more than just IoT devices, these botnets pose increasingly higher risks to consumers and businesses alike.

UPDATE. “The vulnerability disclosed in this post is not an announcement of a new vulnerability in SonicWall Global Management System (GMS). The issue referenced only affects an older version of the GMS software (version 8.1) which was replaced by version 8.2 in December 2016. Customers and partners running GMS version 8.2 and above are protected against this vulnerability,” a SonicWall spokesperson told SecurityWeek in an emailed comment.

“Customers still using GMS version 8.1 should apply a hotfix supplied by SonicWall in August 2018 and plan for an immediate upgrade, as GMS 8.1 went out of support in February 2018. SonicWall and its threat research team continuously updates its products to provide industry-leading protection against the latest security threats, and it is therefore crucial that customers are using the latest versions of our products. We recommend that customers with older versions of GMS, which are long out of support, should upgrade immediately,” the spokesperson continued.

Related: Cross-Platform Mirai Variant Leverages Open-Source Project

Related: Mirai, Gafgyt IoT Botnet Attacks Intensify

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.