Mirai malware targets Linux servers and IoT devices

March 3, 2023 - TuxCare PR Team

Unit 42 researchers discovered “Mirai v3g4”, a new variant of the Mirai botnet that targets 13 unpatched vulnerabilities in Internet of Things (IoT) devices. The flaws have been discovered in a variety of devices, including routers, cameras, and network-attached storage (NAS) devices, and they could allow hackers to take control of them and use them maliciously.

Tens of thousands of devices, mostly in the United States and Europe, are thought to have been infected by the new botnet. To target the vulnerabilities, it employs a mix of known and new exploits, including some that have been known for several years. This indicates that many users are failing to take basic security precautions, such as updating their devices and changing default passwords.

Once the vulnerable devices have been compromised by the variant known as V3G4, they can be fully controlled by attackers and become part of a botnet capable of carrying out additional campaigns such as DDoS attacks.

“V3G4 inherits its most significant feature from the original Mirai variant — a data section with embedded default login credentials for the scanner and brute force purposes,” according to researchers. “Like the original Mirai, it also encrypts all credentials with XOR key 0x37, says Unit 42.”

“The vulnerabilities have less attack complexity than previously observed variants, but they maintain a critical security impact that can lead to remote code execution,” Unit 42 said.

While most Mirai variants use the same key for string encryption, the V3G4 variant, according to the researcher, uses different XOR encryption keys for different scenarios (XOR is a Boolean logic operation frequently used in encryption).

V3G4 comes with a set of default or weak login credentials that it uses to launch brute-force attacks via Telnet and SSH network protocols and spread to other machines. After that, it connects to the C2 server and waits for commands to launch DDoS attacks against targets, according to Unit 42.

V3G4 took advantage of vulnerabilities in the FreePBX management tool for Asterisk communication servers (vulnerability CVE-2012-4869); Atlassian Confluence (vulnerability CVE-2022-26134); the Webmin system administration tool (CVE-2019-15107); DrayTek Vigor ruters (CVE-2020-8515 and CVE-2020-15415); and the C-Data Web Management System (CVE-2022-4257).

One of the most well-known examples of IoT-based attacks is the Mirai botnet. It first appeared in 2016 and has since been responsible for a number of high-profile attacks, including the 2016 Dyn cyberattack, which caused major website disruptions. The botnet operates by scanning the internet for vulnerable devices and then employing them in distributed denial-of-service (DDoS) attacks or other malicious activity.

The discovery of a new Mirai variant highlights the ongoing threat posed by Internet of Things-based attacks. As the number of IoT devices grows, so does the risk of these devices being compromised by hackers. To reduce this risk, users should take basic security precautions such as updating their devices, using strong passwords, and restricting network access. To detect and respond to potential attacks, they should also consider using security software and monitoring tools.

The sources for this piece include an article in SCMagazine.

Summary