Researchers from Palo Alto's Networks Unit 42 say there is a new variant of the Mirai botnet was used to exploit a host of flaws to target IoT devices. Specifically, Mirai V3G4 was used to attempt to exploit over a dozen flaws between July and December 2022.
The vulnerabilities are as followed:
- “CVE-2012-4869: FreePBX Elastix Remote Command Execution Vulnerability
- Gitorious Remote Command Execution Vulnerability
- CVE-2014-9727: FRITZ!Box Webcam Remote Command Execution Vulnerability
- Mitel AWC Remote Command Execution Vulnerability
- CVE-2017-5173: Geutebruck IP Cameras Remote Command Execution Vulnerability
- CVE-2019-15107: Webmin Command Injection Vulnerability
- Spree Commerce Arbitrary Command Execution Vulnerability
- FLIR Thermal Camera Remote Command Execution Vulnerability
- CVE-2020-8515: DrayTek Vigor Remote Command Execution Vulnerability
- CVE-2020-15415: DrayTek Vigor Remote Command Injection Vulnerability
- CVE-2022-36267: Airspan AirSpot Remote Command Execution Vulnerability
- CVE-2022-26134: Atlassian Confluence Remote Code Execution Vulnerability
- CVE-2022-4257: C-Data Web Management System Command Injection Vulnerability”
It seems the attackers were trying to infect IoT systems and targeting the largest IoT networks possible. They were attempting to compose a botnet that would be able to carry out multiple attacks at the same time. Some of the threats were DDoS (distributed denial of service).
Targets
Palo Alto points out that there appear to be three Mirai V3G4 campaigns were in use, all from the same threat actor or group. A total of 13 vulnerabilities were targeted to carry out remote code execution attacks on IoT devices.
“The vulnerabilities mentioned above have less attack complexity than previously observed variants, but they maintain a critical security impact that can lead to remote code execution. Once the attacker gains control of a vulnerable device in this manner, they could take advantage by including the newly compromised devices in their botnet to conduct further attacks such as DDoS. Therefore, it is highly recommended that patches and updates are applied when possible.”
Tip of the day: The Windows Sandbox gives Windows 10/11 Pro and Enterprise users a safe space to run suspicious apps without risk. In out tutorial we show you how to enable the Windows Sandbox feature.