Mirai Botnet Exploits Zero-Day Bugs For DDoS Attacks
InfectedSlurs, a Mirai botnet malware, has been exploiting two zero-day remote code execution (RCE) vulnerabilities. The malware targets routers and video recorders (NVR) devices, aiming to make them a part of its distributed denial of service (DDoS) swarm. Although the botnet was discovered in October 2023, it is believed that its initial activities date back to the latter half of 2022. In this blog, we’ll dive into how the botnet was discovered, how it functions, and more.
Mirai Botnet Detection Details
The botnet was discovered when Akamai’s Security Intelligence Response Team (SIRT) noticed malicious activity pertaining to the company’s honeypots. As of now, it is believed malicious activity was initiated to target a rarely used TCP port. The SIRT teams noticed fluctuations with regard to the frequency of the zero-day exploits.
An analysis of the zero-day vulnerabilities, published by Akamai, reads, “The activity started out with a small burst, peaking at 20 attempts per day, and then thinned out to an average of two to three per day, with some days completely devoid of attempts.” It’s worth mentioning that vulnerable devices that fell prey to the botnet were unknown until November 9, 2023.
Initially the probes were low-frequency and attempted authentication using a POST request. Upon acquiring the access, the botnet attempted a command injection exploitation. Researchers have also determined that the botnet used default admin credentials for installing Mirai variants.
Upon further observation, it was identified that the wireless LAN routers, built for hotels and residential purposes, were also being targeted by the Mirai botnet. Commenting on the RCE flaw being exploited for unauthorized access, Akamai stated: “The SIRT did a quick check for CVEs known to impact this vendor’s NVR devices and was surprised to find that we were looking at a new zero-day exploit being actively leveraged in the wild.”
InfectedSlurs, JenX, and hailBot
The InfectedSlurs botnet is suspected to be knitted with other cybersecurity threats such as JenX and hailBot. The botnet gets its name from the use of racial and offensive language in the command-and-control (C2) servers and strings. As of now, researchers believe this botnet to be a variant of the JenX Mira malware that emerged back in 2018.
Although the botnet mainly uses the JenX variant, some samples appeared to be linked to the hailBot variant as well. Those looking to implement network security measures pertaining to this exploit should know that the JenX filename is “jxkl” and the assumed filename for hailBot would contain “skid.”
Another unique identifier for hailBot is the console string “hail china mainland” which becomes evident during execution. This was prevalent in a sample that came from the C2 server “5.181.80[.]120” and called out to the domain name “husd8uasd9[.]online.”
Other mentions of a C2 infrastructure were also discovered from deleted telegram users in a DDoS marketplace named “DStatCC.” In addition, attacks of the initial Mirai botnet and the one used in October appear quite similar, as they use the same functions and target the same memory locations.
Cyber Attack Mitigation Strategies
Before we discuss botnet vulnerability prevention, know that the SIRT team is working with different cyber security agencies to notify vendors impacted by the botnet. Details of the vendors have not been disclosed as it could increase the number of exploits.
Internet of Things (IoT) security measures for the prevention of such attacks vary for InfectedSlur infections and DDoS attacks.
- For InfectedSlur infections:
- Check and replace default credentials.
- Isolate vulnerable devices and investigate for a compromise.
- For DDoS Attack prevention:
- Implement CISA recommendations.
- Examine subnets and IP spaces.
- Develop DDoS security controls.
- Test and remove opportunities for lateral movements.
Conclusion
The InfectedSlur botnet is leveraging two unknown RCE vulnerabilities to target NVR devices. Although the malware has just been discovered, its activities can be traced back to 2022. The botnet is knitted with earlier variants that include JenX and hailBot. Patches have not been deployed as of now; however, adhering to proactive cybersecurity measures can help improve security posture and safeguard against threat actors.
The source for this piece includes articles in The Hacker News and Bleeping Computer.