New variants of the infamous IoT botnets Mirai and Gafgyt have been spotted targeting a range of vulnerabilities including the Apache Struts flaw behind the Equifax data breach in 2017. Palo Alto Network's Unit 42 said samples of the Mirai variant have added exploits targeting 16 different vulnerabilities including the Apache Struts arbitrary command execution vulnerability CVE-2017-5638.
The vulnerability, which was left unpatched by Equifax, was exploited by hackers and led to the compromise of 143 million consumers.
This is the first known instance of Mirai targeting an Apache Struts vulnerability, researchers said in a blog post.
The new Mirai variant is also targeting vulnerabilities such as the Linksys E-series device remote code execution flaw, a D-Link router remote code execution flaw, an OS command injection security flaw affecting Zyxel routers, an unauthenticated command injection flaw affecting AVTECH IP devices and more.
"Unit 42 found the domain that is currently hosting these Mirai samples previously resolved to a different IP address during the month of August," researchers noted. "During that time this IP was intermittently hosting samples of Gafgyt that incorporated an exploit against CVE-2018-9866 a SonicWall vulnerability affecting older versions of SonicWall Global Management System (GMS). SonicWall has been notified of this development."
Meanwhile, the Gafgyt variant is targeting CVE-2018-9866, a security flaw discovered in July that affects old, unsupported versions of SonicWall Global Management System (GMS) - versions 8.1 and older.
The vulnerability targeted by the exploit is caused by the lack of sanitization of XML-RPC requests to the set_time_config method. There is currently no fix for the flaw except for GMS users to upgrade to version 8.2
Researchers noted that the Gafgyt samples cropped up on August 5, less than a week after the Metasploit module for the vulnerability was published. Some of its configured commands include launching the Blacknurse DDoS attack.
"Blacknurse is a low bandwidth DDoS attack involving ICMP Type 3 Code 3 packets causing high CPU loads first discovered in November 2016," Unit 42 notes. "The earliest samples we have seen supporting this DDoS method are from September 2017."
The new variants come as new IoT botnets have continued to pop up in recent months.
In July, NewSky security researchers spotted a new 18,000-device-strong botnet made up of vulnerable Huawei devices that took its creator just 24 hours to build. In August, new Mirai variants were created leveraging an open-source project named Aboriginal Linux to create a compiled binary and make Mirai executable on a wide range of IoT devices.
Earlier this year, a Mirai botnet variant was used to attack at least three financial institutions.
"The incorporation of exploits targeting Apache Struts and SonicWall by these IoT/Linux botnets could indicate a larger movement from consumer device targets to enterprise targets.," researchers added. "These developments suggest these IoT botnets are increasingly targeting enterprise devices with outdated versions."