- Researchers discovered multiple vulnerable endpoints being targeted by a new Mirai variant
- The endpoints are assimilated into a botnet and used for DDoS attacks
- The vulnerabilities used in the attack are years old
Mirai, an infamous botnet targeting Internet of Things (IoT) devices to use in Distributed Denial of Service (DDoS) attacks, has gotten a new variant which is now targeting multiple vulnerable devices, experts hae warned.
The malware is reportedly going after DigiEver DS-2105 Pro NVRs, multiple TP-Link routers with outdated firmware, and Teltonika RUT9XX routers. For DigiEver, Mirai is abusing an unpatched remote code execution (RCE) vulnerability that doesn’t even have a tracking number.
For TP-Link, Mirai abuses CVE-2023-1389, and for Teltonika, it’s going for CVE-2018-17532. It’s worth noting that the TP-Link flaw is a year old, while the Teltonika one is roughly six years old. That means that the crooks are mostly targeting organizations with poor cybersecurity and patching practices.
Mirai is an active threat
The campaign most likely started in September or October 2024, and according to researchers from Akamai, uses XOR and ChaCha20 encryption, and targets different system architectures, including ARM, MIPS, and x86.
“Although employing complex decryption methods isn’t new, it suggests evolving tactics, techniques, and procedures among Mirai-based botnet operators,” Akamai said.
“This is mostly notable because many Mirai-based botnets still depend on the original string obfuscation logic from recycled code that was included in the original Mirai malware source code release.”
Experts from Juniper Research recently warned Mirai operators were looking for easy-to-compromise Session Smart routers.
“On Wednesday, December 11, 2024, several customers reported suspicious behavior on their Session Smart Network (SSN) platforms,” Juniper said in its security advisory.
Researchers also recently reported cybercriminals were exploiting a flaw in the AVM1203, a surveillance camera model designed and sold by Taiwanese manufacturer AVTECH, to hijack the endpoints and assimilate them into the Mirai botnet.
Via BleepingComputer
Leave a comment