Authors of a new botnet are targeting connected devices affected by critical-level vulnerabilities, some of them impacting network security devices.
The attacks are still active and use publicly available exploits, sometimes only a few hours after being published. Exploit code for at least ten vulnerabilities has been leveraged so far, the latest being added over the weekend.
Exploiting old and recent bugs
Successfully compromised devices end up with a variant of the Mirai botnet malware specific to the architecture of the device.
In mid-February, security researchers at Palo Alto Networks’ Unit 42 discovered attacks from this botnet and started to track its activity.
It took about a month for the botnet operator to integrate exploits for ten vulnerabilities, many of them critical, for various targets.
There are more recent exploits leveraged in these attacks, like CVE-2021-22502, a remote code execution bug in the Micro Focus Operation Bridge Reporter (OBR) product from Vertica.
OBR uses big data technology to create performance reports based on data from other enterprise software.
Two other critical-severity vulnerabilities exploited in attacks from the operator of this Mirai-based botnet are CVE-2021-27561 and CVE-2021-27562 affecting Yealink Device Management.
The flaws were reported through the SSD Secure Disclosure program by independent security researchers Pierre Kim and Alexandre Torres. Technical analysis is available here.
They stem from user-provided data not being properly filtered and allow an unauthenticated attacker to run arbitrary commands on the server with root permission.
Unit 42 researchers say that three of the vulnerabilities the attackers exploit have yet to be identified as the targets remain unknown. Below is a list of the flaws leveraged in these attacks:
|1||VisualDoor||SonicWall SSL-VPN Remote Command Injection Vulnerability||critical severity|
|2||CVE-2020-25506||D-Link DNS-320 Firewall Remote Command Execution Vulnerability||critical severity, 9.8/10|
|3||CVE-2021-27561 and CVE-2021-27562||Yealink Device Management Pre-Auth ‘root’ Level Remote Code Execution Vulnerability||critical severity|
|4||CVE-2021-22502||Remote Code Execution Vulnerability in Micro Focus Operation Bridge Reporter (OBR), affecting version 10.40||critical severity, 9.8/10|
|5||CVE-2019-19356||Resembles the Netis WF2419 Wireless Router Remote Code Execution Vulnerability||high severity, 7.5/10|
|6||CVE-2020-26919||Netgear ProSAFE Plus Unauthenticated Remote Code Execution Vulnerability||critical severity, 9.8/10|
|7||Unidentified||Remote Command Execution Vulnerability Against an Unknown Target||Unknown|
|8||Unidentified||Remote Command Execution Vulnerability Against an Unknown Target||Unknown|
|9||Unknown Vulnerability||Vulnerability Used by Moobot in the Past, Although the Exact Target is Still Unknown||Unknown|
After successfully comprising a device, the attacker dropped various binaries that let them schedule jobs, create filter rules, run brute-force attacks, or propagate the botnet malware:
- lolol.sh: downloads and runs architecture-specific “dark” binaries; it also schedules a job to rerun the script and creates traffic rules that blocks incoming connections over common ports for SSH, HTTP, telnet
- install.sh: installs the ‘zmap’ network-scanner, downloads GoLang and the files for running brute-force attacks on IPs discovered by ‘zmap’
- nbrute.[arch]: binary for brute-force attacks
- combo.txt: a text file with credentials to be used in brute-force attacks
- dark.[arch]: Mirai-based binary used for propagation via exploits or brute-forcing