Mozi P2P Malware Targets Netgear, Huawei, and ZTE Network Gateways – E Hacking News
Mozi, a peer-to-peer (P2P) malware known to target internet-of-things devices, has developed new capabilities to target network gateways manufactured by Netgear, Huawei, and ZTE, Microsoft researchers said on Thursday.
“Network gateways are a particularly juicy target for adversaries because they are ideal as initial access points to corporate networks. By infecting routers, they can perform man-in-the-middle (MITM) attacks—via HTTP hijacking and DNS spoofing—to compromise endpoints and deploy ransomware or cause safety incidents in OT facilities,” researchers at Microsoft Security Threat Intelligence Center and Section 52 at Azure Defender for IoT explained.
According to researchers at Netlab 360, who first spotted the Mozi botnet in December 2019, Mozi is known for exploiting routers and digital video recorders in order to assemble them into an IoT botnet, which could be abused for launching distributed denial-of-service (DDoS) attacks, data exfiltration, and payload execution. The malware has evolved from the source code of several known malware families such as Gafgyt, Mirai, and IoT Reaper.
Mozi spreads through brute-forcing devices online or by abusing known unpatched vulnerabilities in the target devices, with the IoT malware communicating using a BitTorrent-like Distributed Hash Table (DHT) to record the contact information for other nodes in the botnet. This same technique is used by file-sharing P2P customers. The exploited device listens for commands from the controller node and also attempts to exploit other susceptible devices.
Back in September 2020, it was noted in one of IBM X-Force analysis, that Mozi accounted for about 90% of IoT network traffic tracked by security analysts from October 2019 through June 2020, suggesting that attackers are increasingly utilizing the expanding attack surface provided by IoT devices. In another survey released last month, Elastic Security Intelligence and Analytics Team discovered that attackers have targeted at least 24 countries to date, with Bulgaria and India at the forefront.
Microsoft’s IoT security team has identified that the botnet “takes specific actions to increase its chances of survival upon reboot or any other attempt by other malware or responders to interfere with its operation.” This includes achieving persistence on targeted devices and blocking TCP ports (23, 2323, 7547, 35000, 50023, and 58000) that are used to secure remote access to the gateway.
Security researchers have advised the enterprises and customers using Netgear, Huawei, and ZTE routers to secure the devices using strong passwords and update the devices to the latest firmware. “Doing so will reduce the attack surfaces leveraged by the botnet and prevent attackers from getting into a position where they can use the newly discovered persistence and other exploit techniques,” Microsoft said.