loader gif

Latest sample of Echobot found using 26 exploits to target IoT devices

Latest sample of Echobot found using 26 exploits to target IoT devices
  • Most of the exploitation code included in the Echobot variant is for unpatched IoT devices.
  • The targets include network-attached storage devices (NAS), routers, network video recorders (NVR), IP cameras, IP phones, and wireless presentation systems.

Earlier this June, security researchers at Palo Alto Networks had discovered a new variant of Mirai botnet named Echobot using a total of 18 exploits to target IoT devices. However, the latest research cites that Echobot has evolved to include 26 exploits in its arsenal.

What are the targets of the latest variant of Echobot?

The targets of the latest Echobot variant include network-attached storage devices (NAS), routers, network video recorders (NVR), IP cameras, IP phones, and wireless presentation systems.

What are the additional exploits?

Most of the exploitation code included in the Echobot variant is for unpatched IoT devices. Apart from these the botnet also exploits well-known vulnerabilities in Oracle WebLogic and VMware SD-Wan.

"I counted 26 different exploits that were being used in the spread of this botnet. Most were well-known command execution vulnerabilities in various networked devices," said Larry Cashdollar from Akamai Technologies in a blog post.

The new variant of Echobot includes 8 extra exploits along with the previously available exploit.

The 8 additional exploits are:

  • Belkin Wemo UPnP remote code execution vulnerability (CVE-2019-12780);
  • Hootoo HT-05 remote code execution vulnerability (CVE-2018-20841);
  • Netgear ReadyNAS remote code execution vulnerability (CVE-2017-18377);
  • Wireless IP camera (P2P) WIFICAM (CVE-2017-18377);
  • Ubiquity Nanostation5 (Air OS) - remote code execution vulnerability(CVE-2010-5330);
  • ASMAX Ar-804gu command injection vulnerability (CVE-2009-5156);
  • D-Link UPnP SOAP command injection vulnerability (CVE-2013-7471);
  • Linksys WAG54G2 Web Management Console injection vulnerability (CVE-2009-5157).

The bottom line

Cashdollar’s latest research reveals that Echobot uses the same attack code derived from Mirai. But the only difference seems to be the addition of exploits that help the Echobot variant to spread.

loader gif