EnemyBot botnet has added new exploits for recently disclosed critical security flaws. These flaws exist in web servers, IoT and Android devices, and content management systems.
What has been discovered?
Recently, the latest variants of EnemyBot were found adding exploits for 24 vulnerabilities, along with other enhancements. - The botnet has added flaws for more than a dozen processor architectures such as ARM, x86, OpenBSD, macOS, PowerPC, and MIPS.
- Additionally, it is suspected to have some strong correlation with the LolFMe botnet in terms of having similar strings, structure, and patterns in the code.
Exploited flaws
The analysis of the new variant of EnemyBot by AT&T Alien Labs disclosed information regarding the exploited flaws: - CVE-2022-22954: A remote code execution flaw in VMware Workspace ONE Access and Identity Manager.
- CVE-2022-22947: A remote code execution flaw in Spring, fixed in March 2022, and targeted throughout April.
- CVE-2022-1388: A remote code execution flaw in F5 BIG-IP that leads to device takeover.
- Other targeted flaws include vulnerabilities associated with routers and IoT devices, such as CVE-2022-27226 (iRZ), CVE-2022-25075 (TOTOLINK), and the infamous Log4Shell vulnerability.
About the botnet
The botnet was first spotted around a month ago when an analysis of samples emerged in a Securenix report. Moreover, it is operated by a group named Keksec, which seems to be expanding its botnet network.
Conclusion
The attackers are adding new vulnerabilities soon after they emerge for better exploitation. Thus, always make sure to update and apply the latest security patches to devices in use.