A version of the Mirai botnet called BeastMode has updated its arsenal of exploits. It has been found that the botnet had added exploits for five new vulnerabilities between February and March 2022, of which three affect different models of TOTOLINK routers.

Which vulnerabilities are exploited?

According to Fortinet researchers, BeastMode attempts to infect TOTOLINK routers by exploiting the following vulnerabilities:
  • CVE-2022-26210 - It affects versions A800R, A810R, A830R, A950RG, A3000RU, and A3100R of TOTOLINK routers.
  • CVE-2022-26186 - It affects versions N600R and A7100RU.
  • CVE-2022-25075/25076/25077/25078/25079/25080/25081/25082/25083/25084 - They are a family of similar vulnerabilities targeting TOTOLINK A810R, A830R, A860R, A950RG, A3100R, A3600R, T6, and T10 routers. 

The threat actors added the exploits just a week after the PoCs were publicly released on GitHub. This enabled the attackers to compromise a large number of devices before the owners released the firmware updates. 

How does the BeastMode botnet work?

  • Like most DDoS botnets, Beastmode attempts to infect devices by launching brute-force attacks or exploiting multiple vulnerabilities. 
  • Once launched, the botnet can perform a variety of DDoS attacks including attack_app_http, attack_tcp_ack, attack_tcp_syn, attack_udp_plain, attack_udp_vse, attack_udp_ovhhex, attack_udp_stdhex, and attack_udp_CLAMP. 

About the latest attack campaign

  • The botnet samples captured on February 20 contained a typo in the URL, where the ‘downloadFlile.cgi’ used by the device was replaced with ‘downloadFile.cgi.’ 
  • However, the attackers had fixed the samples three days after the discovery which suggests that the campaign is still under active development. 
  • Apart from TOTOLINK products, the campaign also targets obsolete D-Link products (DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L) via CVE-2021-45382. 
  • A couple of other products from TP-Link, Huawei, NETGEAR and NUUO NVRmimi2, NVRsolo are also being targeted in the campaign. 
  • Researchers note the vulnerabilities impacting these products can allow threat actors to inject malicious commands after successful exploitation. 

Conclusion

By rapidly adopting newly released exploit code, threat actors can potentially infect vulnerable devices and expand their botnets. Therefore, users must be vigilant in applying the firmware update as soon as it is released. They should also change the passwords of the routers periodically to prevent threats arising due to brute-force attacks.  

Cyware Publisher

Publisher

Cyware