A variant of the Mirai botnet has recently updated its arsenal of tools with 13 exploits targeting vulnerabilities in IoT devices from D-Link, TP-Link, Zyxel, and various other manufactures, Fortinet reports.
Tracked as IZ1H9 and first discovered in August 2018, this Mirai variant is one of the most active, exploiting unpatched vulnerabilities in IoT devices to ensnare them and abuse them in distributed denial-of-service (DDoS) attacks.
Following the addition of exploits for several new security bugs earlier this year, IZ1H9 has recently expanded its arsenal once again, now packing exploits for more than 30 vulnerabilities in D-Link, Geutebruck, Korenix, Netis, Sunhillo, Totolink, TP-Link, Yealink, and Zyxel devices.
Exploitation of these vulnerabilities peaked on September 6, when Fortinet saw thousands of attack attempts.
Of the newly added exploits, four target D-Link issues tracked as CVE-2015-1187, CVE-2016-20017, CVE-2020-25506, and CVE-2021-45382. These critical-severity flaws allow remote attackers to execute arbitrary code on affected devices.
According to Fortinet, eight other exploits target arbitrary command execution bugs impacting the firmware that UDP Technology supplies to Geutebruck and other OEMs for their IP cameras.
The botnet variant also added an exploit for CVE-2023-23295, a command injection flaw in Korenix JetWave routers, one for CVE-2019-19356, a remote code execution (RCE) bug in Netis WF2419 wireless routers (exploited by Mirai variants before), and another for CVE-2021-36380, a critical OS command injection issue in the Sunhillo SureLine application.
According to Fortinet, IZ1H9 also added exploits for 12 command injection vulnerabilities impacting Totolink routers, a recent command injection flaw in TP-Link Archer AX21 routers (CVE-2023-1389), two Yealink Device Management bugs, and an RCE vulnerability in Zyxel EMG3525 and VMG1312 devices.
Fortinet says it also noticed that the malware includes a non-functional payload that apparently targets a Prolink PRC2402M router flaw (CVE-2021-35401).
It’s worth noting that for some of the newly added vulnerabilities, such as CVE-2021-36380 and CVE-2023-23295, there do not appear to be any previous reports of in-the-wild exploitation.
“IoT devices have long been an attractive target for threat actors, with remote code execution attacks posing the most common and concerning threats to both IoT devices and Linux servers. The exposure of vulnerable devices can result in severe security risks. Despite the availability of patches for these vulnerabilities, the number of exploit triggers remains alarmingly high, often numbering in the thousands,” Fortinet concludes.