New Zerobot Botnet Abuses IoT Vulnerabilities

Diving into details

• While the first version of Zerodol, used before November 24, had only basic capabilities, the latest one is capable of self-replication and compromising more endpoints using 21 exploits via the self-propagation module.
• The exploits include flaws in Zyxel firewalls, TOTOLINK routers, F5 BIG-IP, Spring Framework, D-Link DNS-320 NAS, Hikvision cameras, and FLIR AX8 thermal imaging cameras, among others.
• The botnet can target i386, amd64, arm, mips64le, mipsle, arm64, mips, mips64, ppc64, ppc64le, riscv64, and s390x CPU architectures.
• Once communication is established with the C2 server—via the WebSocket Protocol—further instructions enable Zerobot to run arbitrary commands and launch attacks for various network protocols, including TCP, TLS, UDP, ICMP, and HTTP.

Why this matters

• Within a very short span of time, Zerobot was enhanced with a copy file module, string obfuscation, and a propagation exploit module that makes it challenging to be detected while infecting a greater number of IoT devices. 
• The researchers have asserted that the threat is critical since remote attackers can gain access to vulnerable systems and its AntiKill module prevents victims from disrupting the Zerobot program.

The bottom line