New Variant of Mirai Botnet Discovered
A new variant of the Mirai botnet has been discovered targeting multiple vulnerabilities in unpatched D-Link, Netgear and SonicWall devices, as well as never-before-seen flaws in unknown internet-of-things (IoT) gadgets. Since Feb. 16, the new variant has been targeting six known vulnerabilities, and three previously unknown ones, in order to infect systems and add them to a botnet.
The attacks leverage a number of vulnerabilities. The known vulnerabilities exploited include: A SonicWall SSL-VPN exploit; a D-Link DNS-320 firewall exploit (CVE-2020-25506); Yealink Device Management remote code-execution (RCE) flaws (CVE-2021-27561 and CVE-2021-27562); a Netgear ProSAFE Plus RCE flaw (CVE-2020-26919); an RCE flaw in Micro Focus Operation Bridge Reporter (CVE-2021-22502); and a Netis WF2419 wireless router exploit (CVE-2019-19356 ).
The botnet also exploited vulnerabilities that were not previously identified.
The exploits themselves include two RCE attacks — including an exploit targeting a command-injection vulnerability in certain components; and an exploit targeting the Common Gateway Interface (CGI) login script (stemming from a key parameter not being properly sanitized). The third exploit targets the op_type parameter, which is not properly sanitized leading to a command injection, said researchers.
The variant is only the latest to rely on Mirai’s source code, which has proliferated into more than 60 variants since bursting on the scene with a massive distributed denial of service (DDoS) takedown of DNS provider Dyn in 2016.