A new variant of Mirai has been discovered that is abusing security flaws in D-Link, Netgear, and SonicWall devices, among others. Since February, this variant has targeted six known vulnerabilities, along with three previously unknown ones to infect systems and add them to a botnet network.
More than 60 variants of Mirai have been observed and most of these variants take advantage of known or unknown vulnerabilities in IoT devices. The latest attacks are based on a recent variant of Mirai’s source code, with some additional vulnerabilities targeting IoT devices.
The botnet exploits known vulnerabilities in SonicWall SSL-VPN; D-Link DNS-320 firewall (CVE-2020-25506); Yealink Device Management (CVE-2021-27561 and CVE-2021-27562); Netgear ProSAFE Plus (CVE-2020-26919); Micro Focus Operation Bridge Reporter (CVE-2021-22502); and a Netis WF2419 router (CVE-2019-19356).
In addition, the botnet uses some unidentified exploits, including two RCE attacks - one targeting a command-injection vulnerability and the other was targeting the Common Gateway Interface (CGI). Another exploit was targeting the op_type parameter that leads to command injection.
Use of binaries
After initial infection, the botnet uses the wget utility to download a shell script from the malware’s infrastructure. Consequently, the shell script downloads various Mirai binaries and runs them one-by-one.
Lolol[.]sh: It deletes key folders from the target machine; creates packet filter rules to bar incoming traffic directed at the commonly-used SSH, HTTP and telnet ports.
Install[.]sh: It downloads various files and packages, such as GoLang v1.9.4, the - nbrute - binaries, and the combo[.]txt file that includes multiple credential combinations used for brute-forcing by - nbrute.
Dark.[arch]: It is mainly used for propagation via taking advantage of the initial Mirai exploits described above. In addition, it can brute-force SSH connections using hardcoded credentials in the binary.
One of the most prominent takeaways from all Mirai attacks to date is that unpatched connected devices are always a security risk. Thus, it has become very important to regularly update and apply patches to IoT devices and firmware. In addition, always change the default credentials of IoT devices to stay protected from such attacks.