Go to listing page

New Variant of Mirai Targets 13 Known IoT Device Vulnerabilities

New Variant of Mirai Targets 13 Known IoT Device Vulnerabilities
A new variant of the Mirai botnet dubbed V3G4 has been identified by researchers. The malware exploits 13 vulnerabilities in various servers and IoT devices and uses brute-forcing attacks to propagate further across the network.

Understanding the campaign 

According to Palo Alto Networks’ Unit 42 researchers, V3G4 primarily targets IP cameras, servers, and other IoT devices exposed to the internet.
  • Once compromised, hackers leverage the devices as a part of their botnet network and use them in launching DDoS attacks or carry out other malicious activities.
  • Attackers can propagate across the network in order to target more devices. For this, they either use brute-force attacks or target other vulnerabilities to spread the infection further.

Exploited vulnerabilities 

The V3G4 variant targets 13 already known vulnerabilities in popular enterprise products. They include: 
  • CVE-2012-4869: FreePBX Elastix Remote Command Execution Vulnerability
  • CVE-2014-9727: FRITZ!Box Webcam Remote Command Execution Vulnerability
  • CVE-2017-5173: Geutebruck IP Cameras Remote Command Execution Vulnerability
  • CVE-2019-15107: Webmin Command Injection Vulnerability
  • CVE-2020-8515: DrayTek Vigor Remote Command Execution Vulnerability
  • CVE-2020-15415: DrayTek Vigor Remote Command Injection Vulnerability
  • CVE-2022-36267: Airspan AirSpot Remote Command Execution Vulnerability
  • CVE-2022-26134: Atlassian Confluence Remote Code Execution Vulnerability
  • CVE-2022-4257: C-Data Web Management System Command Injection Vulnerability
  • Mitel AWC Remote Command Execution Vulnerability
  • Gitorious Remote Command Execution Vulnerability
  • Spree Commerce Arbitrary Command Execution Vulnerability
  • FLIR Thermal Camera Remote Command Execution Vulnerability

More about V3G4 operations

Upon successful exploitation, the malware executes the wget and curl utilities to download and execute Mirai bot clients. 
  • The botnet client carries a list of processes (the stop list), containing names of other botnet malware families and previous variants of Mirai. Further, it terminates all the processes from the infected device.
  • It initializes a table of telnet/SSH login credentials and then attempts to spread further in the network by brute-forcing network devices.

Safety tips

To protect your IoT devices against V3G4 and other botnet malware, experts recommend following best practices, such as keeping the software and firmware updated, using strong passwords, and disabling services and protocols that are not in use. Additionally, network segmentation can help contain the malware, preventing a widespread impact of infection.
Cyware Publisher