During the second half of 2022, a variant of the Mirai malware called V3G4 was seen targeting 13 vulnerabilities to ensnare Internet of Things (IoT) devices into a botnet, Palo Alto Networks reports.
Following the successful exploitation of the targeted security flaws, the malware takes full control of the vulnerable devices and then abuses them to conduct various types of malicious activities, including distributed denial-of-service (DDoS) attacks.
Starting July 2022, Mirai variant V3G4 was used in multiple attack campaigns, likely by the same threat actor, based on the used hardcoded command-and-control (C&C) domains, malware downloaders, XOR decryption key, identical functions, and a ‘stop list’.
To compromise devices, the threat actor targets 13 remote code execution vulnerabilities that allow them to run specific utilities to download and execute the Mirai malware on the target devices.
The targeted vulnerabilities impact FreePBX Elastix (CVE-2012-4869), Gitorious, FRITZ!Box webcams (CVE-2014-9727), Mitel AWC, Geutebruck IP cameras (CVE-2017-5173), Webmin (CVE-2019-15107), Spree Commerce, FLIR Thermal cameras, DrayTek Vigor (CVE-2020-8515 and CVE-2020-15415), Airspan AirSpot (CVE-2022-36267), Atlassian Confluence (CVE-2022-26134), and C-Data Web Management System (CVE-2022-4257).
Following successful execution on a vulnerable device, the Mirai variant makes sure that only one instance of the malware runs, then attempts to terminate processes included in the hardcoded ‘stop list’.
Malware samples collected over the course of three different campaigns showed slight changes in the code. While some Mirai samples spread by brute-forcing weak credentials, others also use embedded exploits, but samples seen between September and December 2022 contain none of these capabilities.
“The vulnerabilities mentioned above have less attack complexity than previously observed variants, but they maintain a critical security impact that can lead to remote code execution. Once the attacker gains control of a vulnerable device in this manner, they could take advantage by including the newly compromised devices in their botnet to conduct further attacks such as DDoS,” Palo Alto Networks notes.
Organizations are advised to ensure that all devices in their environments are patched against known vulnerabilities, that they are protected using strong, unique passwords, and that unused ports and services, which are often targeted by cybercriminals, are either blocked or not accessible from the internet.
Related: Mirai Botnet Launched 2.5 Tbps DDoS Attack Against Minecraft Server
Related: New BotenaGo Variant Infects Lilin Security Cameras With Mirai
Related: Spring4Shell Vulnerability Exploited by Mirai Botnet