Industrial routers are being hit by zero-days from new Mirai botnets -

Chinese researchers discovered a variant of Mirai with an offensive name
It targets industrial routers and smart home devices with zero-day flaws, misconfigurations, and poor passwords
Some 15,000 active IP addresses were found

A new malicious botnet was recently observed, spreading through zero-day vulnerabilities and assimilating industrial routers and smart home devices.

Cybersecurity researchers from the Chinese outfit Qi’anxin XLab claim the botnet is based on Mirai, an infamous piece of malware that’s known to be behind some of the biggest and most devastating Distributed Denial of Service (DDoS) attacks.

However, the new versions differ greatly from the original Mirai, as they abuse more than 20 vulnerabilities, and target weak Telnet passwords, as means of distribution and spreading. Some of the vulnerabilities have never been seen before, and don’t have CVEs assigned just yet. Among them are bugs in Neterbit routers, and Vimar smart home devices.

Intense attacks

The researchers also observed CVE-2024-12856 being used to infect devices. This is a high-severity (7.2/10) command injection vulnerability found in Four-Faith industrial routers.

The botnet is called “gayfemboy” and apparently counts roughly 15,000 active IP addresses located in the US, Turkey, Iran, China, and Russia. The botnet mostly targets these devices, so if you’re running any of them, be on the lookout for indicators of compromise.

ASUS routers, Huawei routers, Neterbit routers, LB-Link routers, Four-Faith Industrial Routers, PZT cameras, Kguard DVR, Lilin DVR, Generic DVRs, Vimar smart home devices, and other different 5G/LTE devices with misconfigurations or weak credentials.

Whoever is behind this botnet is not wasting their time, either. Since February last year, it’s been running different DDoS attacks, with peak performance being recorded in October and November 2024. The targets are mostly located in China, the US, UK, Germany, and Singapore.

The attacks usually last between 10 and 30 seconds and are quite intense, exceeding 100Gbps in traffic, which can disrupt even the most robust infrastructures.

“The targets of attacks are all over the world and distributed in various industries,” the researchers said. “The main targets of attacks are distributed in China, the United States, Germany, the United Kingdom, and Singapore,” they concluded.

Via BleepingComputer

Source link

Leave a Reply Cancel reply