The Mirai malware made news in 2016 when it brought the internet down to its knees after attacking Dyn, a domain service provider. Ever since then, the malware has proliferated into several variants and those variants have then branched into more variants. Now, Palo Alto Networks Unit 42, having been tracking the botnet since 2016, have found a new variant equipped with 8 exploits.
The new variant targets IoT devices that are gaining in popularity like SD-WANs, wireless presentation systems, and smart home controllers. The researchers explain that the number of exploits allows a single botnet to compromise a range of devices, thereby increasing the effectiveness of the botnet. Many of these exploits are being farmed from public databases, most notable exploit-db, according to the researchers.
Below is a list of the exploits that the news variant employs.
A security researcher noticed command injection vulnerabilities in WePresent devices. Those vulnerabilities where then haphazardly patched. The problem is that a majority of WePresent devices run on software older versions that have not been patched. These devices are used in over a hundred universities in North America, and this exploit targets every single version out there.
With this vulnerability, compromised servers can be remotely accessed with a bug that allows one to gain remote access.
VMWare contains a web UI component that, if enabled, is vulnerable to remote command injection.
The U.motion Builder software that contains this remote code execution vulnerability has recently been retired. Now, it’s up to devices that use the software to move on.
Asustor’s ADM firmware 3.1.0 does not sanitize user input when making a call to a local shell script. According to the doc, “exploitation of this vulnerability allows an attacker execution of arbitrary commands on the host operating system, as the root user, remotely and unauthenticated.”
- Dell KACE Remote Code Execution
This vulnerability was discovered by Julien Ahrens in 2018’s H1-3120 event. Dell quietly patched the vulnerability, but since vulnerabilities don’t often patch themselves on older versions, there may be machines that are still at risk.
This exploit turns Geutebruck security cameras into a potential botnet. Hackers can exploit “an arbitrary command execution vulnerability. The vulnerability exists in the /uapi-cgi/viewer/testaction.cgi page and allows anonymous user to execute arbitrary commands with root privileges.”
This exploit takes advantage of a vulnerability in a HooToo wireless travel router(which sounds like a bad idea from the get-go security-wise). The malicious code “tries to open a door in the device by exploiting the RemoteCodeExecution by creating a backdoor inside the device.”
Unit 42 concludes that the trend towards a multiplicity of exploits within a single variant will increase the strength of DDoS attacks.