Authors of a new botnet are targeting connected devices affected by critical-level vulnerabilities, some of them impacting network security devices.

The attacks are still active and use publicly available exploits, sometimes only a few hours after being published. Exploit code for at least ten vulnerabilities has been leveraged so far, the latest being added over the weekend.

Exploiting old and recent bugs

Successfully compromised devices end up with a variant of the Mirai botnet malware specific to the architecture of the device.

In mid-February, security researchers at Palo Alto Networks’ Unit 42 discovered attacks from this botnet and started to track its activity.

It took about a month for the botnet operator to integrate exploits for ten vulnerabilities, many of them critical, for various targets.

Among them is VisualDoor, the exploit for a remote command injection vulnerability in SonicWall SSL-VPN devices that the maker says they fixed years ago.

There are more recent exploits leveraged in these attacks, like CVE-2021-22502, a remote code execution bug in the Micro Focus Operation Bridge Reporter (OBR) product from Vertica.

OBR uses big data technology to create performance reports based on data from other enterprise software.

Two other critical-severity vulnerabilities exploited in attacks from the operator of this Mirai-based botnet are CVE-2021-27561 and CVE-2021-27562 affecting Yealink Device Management.

The flaws were reported through the SSD Secure Disclosure program by independent security researchers Pierre Kim and Alexandre Torres. Technical analysis is available here.

They stem from user-provided data not being properly filtered and allow an unauthenticated attacker to run arbitrary commands on the server with root permission.

Unit 42 researchers say that three of the vulnerabilities the attackers exploit have yet to be identified as the targets remain unknown. Below is a list of the flaws leveraged in these attacks:

IDVulnerabilityDescriptionSeverity
1VisualDoorSonicWall SSL-VPN Remote Command Injection Vulnerabilitycritical severity
2CVE-2020-25506D-Link DNS-320 Firewall Remote Command Execution Vulnerabilitycritical severity, 9.8/10
3CVE-2021-27561 and CVE-2021-27562Yealink Device Management Pre-Auth ‘root’ Level Remote Code Execution Vulnerabilitycritical severity
4CVE-2021-22502Remote Code Execution Vulnerability in Micro Focus Operation Bridge Reporter (OBR), affecting version 10.40critical severity, 9.8/10
5CVE-2019-19356Resembles the Netis WF2419 Wireless Router Remote Code Execution Vulnerabilityhigh severity, 7.5/10
6CVE-2020-26919Netgear ProSAFE Plus Unauthenticated Remote Code Execution Vulnerabilitycritical severity, 9.8/10
7UnidentifiedRemote Command Execution Vulnerability Against an Unknown TargetUnknown
8UnidentifiedRemote Command Execution Vulnerability Against an Unknown TargetUnknown
9Unknown VulnerabilityVulnerability Used by Moobot in the Past, Although the Exact Target is Still UnknownUnknown

After successfully comprising a device, the attacker dropped various binaries that let them schedule jobs, create filter rules, run brute-force attacks, or propagate the botnet malware:

  • lolol.sh: downloads and runs architecture-specific “dark” binaries; it also schedules a job to rerun the script and creates traffic rules that blocks incoming connections over common ports for SSH, HTTP, telnet
  • install.sh: installs the ‘zmap’ network-scanner, downloads GoLang and the files for running brute-force attacks on IPs discovered by ‘zmap’
  • nbrute.[arch]: binary for brute-force attacks
  • combo.txt: a text file with credentials to be used in brute-force attacks
  • dark.[arch]: Mirai-based binary used for propagation via exploits or brute-forcing