Mozi, the peer-to-peer botnet, is now updated to target network gateways made by multiple vendors such as Netgear, ZTE, and Huawei. Furthermore, attackers can perform Man-in-the-Middle (MitM) attacks via DNS spoofing and HTTP hijacking.
What has happened
A network gateway is best suited for initial access to corporate networks. According to researchers, upgrading Mozi capabilities to target network gateways allow attackers to compromise endpoints and spread ransomware or leads to safety issues in OT facilities.
- It has been upgraded with new commands that allow it to hijack HTTP sessions and perform DNS spoofing to redirect traffic to a domain controlled by an attacker.
- Mozi propagates by exploiting weak and default remote access passwords and unpatched vulnerabilities. The IoT malware communicates using a Distributed Hash Table (DHT).
- The DHT is used to record the contact info of other nodes in the botnet. The infected devices wait for commands from controller nodes and try to compromise other exposed targets.
- Mozi accomplishes persistence on targeted and compromised devices by blocking TCP ports (23, 2323, 7547, 35000, 50023, and 58000) used to obtain remote access to the gateway.
Additional insights
In another investigation published a month ago, Elastic Security Intelligence and Analytics Team discovered that 24 countries have been targeted by Mozi so far, in which Bulgaria and India are at the top.
- Recent research from Microsoft has found that the malware takes certain actions, such as ignoring some domains, to improve its survival chances on reboot.
- According to IBM X-Force analysis, Mozi accounted for 90% of IoT network traffic from October 2019 to June 2020.
Conclusion
Mozi botnet has been active for a couple of years and now it has been further updated to target network gateways of multiple vendors. Therefore, the key security recommendation is always to use a strong password and regularly update the firmware of the network devices.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/4ef0_shutterstock_2002656881.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_386333641.jpg)
