Miscreants are currently exploiting two new zero-day vulnerabilities to compromise routers and video recorders [2] [3] [6], creating a distributed denial-of-service (DDoS) botnet [1] [2] [3] [4] [5] [6]. These vulnerabilities allow for remote code execution when devices use default administrative credentials [2] [3] [6]. The attackers are infecting compromised devices with Mirai [2] [3] [6], a powerful open-source software that creates botnets capable of launching massive DDoS attacks [2] [3] [6].
Description
One of the zero-day vulnerabilities affects network video recorders [2] [3], while the other affects a wireless LAN router commonly used in hotels and residential applications [2] [3] [6]. The router is produced by a Japan-based manufacturer [2], and it is suspected that other router models may also be affected. The specific devices and manufacturers are not being disclosed until fixes are in place to prevent further abuse [3].
The attackers are using a command injection technique that requires them to authenticate using the device’s credentials [3]. The Mirai strain used in the attacks is primarily an older variant known as JenX [3], but it has been modified to use fewer domain names [3]. Some malware samples also show ties to another Mirai variant called hailBot [3].
The attacks were discovered by a web infrastructure and security company in late October 2023 [1] [4] [5]. The company has provided file hashes and IP and domain addresses used in the attacks for network owners to check if their devices have been targeted [3]. Additionally, the company identified a web shell called wso-ng [5], which conceals its login interface behind a 404 error page [5]. This web shell can retrieve AWS metadata and search for Redis database connections to gain unauthorized access to sensitive application data [5]. The use of off-the-shelf web shells is an attempt to challenge attribution efforts and evade detection [5]. Attackers also utilize compromised-but-legitimate domains for command-and-control (C2) purposes and malware distribution [1] [4] [5]. In August 2023 [5], compromised WordPress websites were used to conditionally redirect visitors to intermediary C2 and dictionary domain generation algorithm (DDGA) domains [5]. This activity has been attributed to a threat actor named VexTrio [1] [5].
The vulnerabilities are currently undisclosed to allow vendors to release patches [1] [4] [5]. Akamai researchers have reported the vulnerabilities to the manufacturers [3], and one of them has committed to releasing security patches next month [3]. Snort rules and indicators of compromise published by Akamai can be used to detect and repel these attacks [3], but there is currently no way to identify the specific vulnerable devices or their manufacturers [3].
Conclusion
The active malware campaign [1] [4] [5], known as InfectedSlurs [1] [4], exploits the two zero-day vulnerabilities to create a Mirai-based DDoS botnet. This campaign specifically targets routers and video recorders that use default admin credentials and installs Mirai variants [1]. The vulnerabilities are being kept under wraps to allow vendors to release patches [1] [4].
The use of the Mirai malware and the web shell wso-ng highlights the sophistication of the attackers. They are employing compromised-but-legitimate domains for command-and-control purposes and malware distribution [1] [4] [5], making it more challenging to detect and mitigate their activities.
The discovery of these vulnerabilities and the ongoing attacks serve as a reminder of the importance of timely patching and strong authentication practices. It is crucial for device manufacturers and users to stay vigilant and implement necessary security measures to protect against such threats.
References
[1] https://www.redpacketsecurity.com/mirai-based-botnet-exploiting-zero-day-bugs-in-routers-and-nvrs-for-massive-ddos-attacks/
[2] https://vuink.com/post/nefgrpuavpn-d-dpbz/security/2023/11/thousands-of-routers-and-cameras-vulnerable-to-new-0-day-attacks-by-hostile-botnet
[3] https://arstechnica.com/security/2023/11/thousands-of-routers-and-cameras-vulnerable-to-new-0-day-attacks-by-hostile-botnet/
[4] https://ciso2ciso.com/mirai-based-botnet-exploiting-zero-day-bugs-in-routers-and-nvrs-for-massive-ddos-attacks-sourcethehackernews-com/
[5] https://thehackernews.com/2023/11/mirai-based-botnet-exploiting-zero-day.html
[6] https://www.lacortenews.net/2023/11/23/thousands-of-routers-and-cameras-vulnerable-to-new-0-day-attacks-by-hostile-botnet/
