Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Mirai Offspring “Echobot” Uses 26 Different Exploits

A recently discovered variant of the Mirai Internet of Things (IoT) malware uses a total of 26 different exploits for the infection phase, Akamai reports. 

A recently discovered variant of the Mirai Internet of Things (IoT) malware uses a total of 26 different exploits for the infection phase, Akamai reports. 

Targeting improperly secured IoT devices, Mirai was first spotted in 2016 and had its source code published online in October that year. Numerous variants of the threat have emerged since, with the most recent of them targeting more processor architectures and aiming to infect devices in enterprise environments

Dubbed Echobot, the latest variant of the botnet was observed earlier this month, when it included 18 exploits, 8 of which were new to the Mirai code. The threat was also targeting a recently patched Oracle WebLogic remote code execution vulnerability (CVE-2019-2725).

Now, Akamai’s Larry Cashdollar says that a newer version of Echobot uses 26 different exploits for infection, most of which target well-known command execution vulnerabilities in various networked devices. No CVE numbers were assigned for some of the flaws, although public advisories for them had been published. 

The exploits targeted devices from ADM, Ubiquity (AirOS), ASMAX, ASUS, Belkin, Blackbot, DD-WRT, Dell, D-Link, Dreambox, Geutebruck, Hootoo, Linksys, Netgear, Nuuo, Oracle, Realtek, Seowonintech, SuperSign, Umotion, VeraLite, VMware, wePresent, WIFICAM, Yealink, and ZeroShell. 

Analysis of the malicious code revealed the inclusion of cross-application vulnerabilities, as botnet creators are no longer relying solely on devices with embedded OSes, such as routers, cameras, and DVRs. 

Enterprise web (Oracle WebLogic) and networking software (VMware SD-WAN) vulnerabilities are also targeted to infect targets and propagate the malware. At the same time, the botnet developers are targeting unpatched legacy vulnerabilities, given the inclusion of an exploit for a 10-year old flaw in ZeroShell. 

The malware’s loader system is a virtual server hosted in Bulgaria on Neterra’s cloud network. The binaries, which are hosted via FTP and HTTP, were recently updated and feature file timestamps of June 7. 

Advertisement. Scroll to continue reading.

“Botnet developers are always looking for ways to spread malware. They are not just relying on exploiting new vulnerabilities that target IoT devices, but vulnerabilities in enterprise systems as well. Some of the new exploits they’ve added are older and have remained unpatched by the vendor. It seems the updates to Echobot are targeting systems that have possibly remained in service, but whose vulnerabilities were forgotten,” Cashdollar points out. 

Related: New Mirai Variant Targets More Processor Architectures

Related: New Mirai Variant Targets Enterprise IoT Devices

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.