A version of the Mirai botnet known as Beastmode was seen using newly disclosed vulnerabilities in TOTOLINK routers between February and March 2022. It is used for infecting unpatched devices and potentially expanding its reach.
According to Fortinet’s FortiGuard Labs Research team, the Mirai-based DDoS campaign Beastmode (or B3astmode) has rapidly upgraded its arsenal of exploits. Five more vulnerabilities were released within a month, three of which targeted specific TOTOLINK router types. The following is a list of exploited flaws in TOTOLINK routers:
- CVE-2022-26210 (CVSS score of 9.8) – A command injection flaw that might be used to get arbitrary code execution
- CVE-2022-26186 (CVSS score of 9.8) – A command injection flaw impacting TOTOLINK N600R and A7100RU routers, and
- CVE-2022-25075 to CVE-2022-25084 (CVSS scores of 9.8) – A command injection flaw that affects several TOTOLINK routers, resulting in code execution.
The other exploits that Beastmode targets include vulnerabilities in TP-Link Tapo C200 IP camera (CVE-2021-4045, CVSS score of 9.8), video surveillance solutions by NUUO and Netgear (CVE-2016-5674, CVSS score of 9.8), Huawei HG532 routers (CVE-2017-17215, CVSS score of 8.8), and discontinued D-Link products (CVE-2021-45382, CVSS score of 9.8).
In order to avoid impacted models from being taken over by the botnet, users are urgently advised to upgrade their devices to the most recent firmware.
“Even though the original Mirai author was arrested in fall 2018, [the latest campaign] highlights how threat actors, such as those behind the Beastmode campaign, continue to rapidly incorporate newly published exploit code to infect unpatched devices using the Mirai malware,” said the researchers.