- Security researchers observe new botnet-building campaign called Murdoc
- Its attacks are targeting IP cameras and routers
- More than 1,000 devices have been identified as compromised
Cybersecurity researchers from the Qualys Threat Research Unit have observed a new large-scale operation exploiting vulnerabilities in IP cameras and routers to build out a botnet.
In a technical analysis, Qualys said the attackers were mostly exploiting CVE-2017-17215 and CVE-2024-7029, seeking to compromise AVTECH IP cameras, and Huawei HG532 routers. The botnet is essentially Mirai, although in this case it was dubbed Murdoc.
Qualys said Murdoc demonstrated “enhanced capabilities, exploiting vulnerabilities to compromise devices and establish expansive botnet networks.”
The persevering Mirai
The campaign most likely started in July 2024, and has so far managed to compromise 1,370 systems. Most of the victims are located in Malaysia, Mexico, Thailand, Indonesia, and Vietnam.
With a network of internet-connected devices (bots) under their control, malicious actors can mount Distributed Denial of Service (DDoS) attacks, bringing websites and services down, disrupting operations and causing financial and reputational harm.
Mirai is a highly popular botnet malware. Created by three college students in the US: Paras Jha, Josiah White, and Dalton Norman, Mirai became infamous in 2016 after orchestrating a large-scale DDoS attack on Dyn, that temporarily disrupted major websites, including Netflix, and Twitter.
The creators released the source code online, right before their arrest in 2017. They pled guilty to using the botnet for DDoS attacks and other schemes.
While law enforcement continues to target and disrupt the botnet, it has shown great resilience and continues to be active to this day.
Less than two weeks ago, a Mirai variant named ‘gayfemboy’ was found exploiting a bug in Four-Faith industrial routers. Although clearly spawned from Mirai, this new version differs greatly, abusing more than 20 vulnerabilities and targeting weak Telnet passwords. Some of the vulnerabilities have never been seen before, and don’t have CVEs assigned just yet. Among them are bugs in Neterbit routers, and Vimar smart home devices.