InfectedSlurs Botnet Spreads Mirai via Zero-Days

The payload targets routers and network video recorder devices with default admin credentials and installs Mirai variants when successful. Until November 9, 2023, the vulnerable devices being targeted were unknown. Since both the name and the version number have internet slang roots, it was originally assumed that the devices discovered in the wild that fit the profile we were looking for must be a honeypot or a joke. When we looked at these devices through a broader lens, we were able to find some more hints about what we were seeing. In some cases, devices found in the wild with enabled HTTPS had additional information leakage from the HTTPS certificate Subject line that pointed us to a specific domain, which we traced back to an NVR manufacturer. The SIRT did a quick check for CVEs known to impact this vendor's NVR devices and was surprised to find that we were looking at a new zero-day exploit being actively leveraged in the wild. We decided to look a bit closer at the campaign that was building the underlying botnet that was leveraging this new zero-day exploit by going back to our honeypot, malware, and botnet tracking logs. The device identification in this second instance was made much simpler because the device's default administrative credentials included the device model number. We've not gotten a full report back from the NVR vendor of the device models and versions that are believed to be impacted. The SIRT estimates the NVR vendor produces roughly 100 NVR/DVR/IP camera products - with no version information leakage from public-facing devices in the wild, it's difficult to know exactly which ones are and aren't impacted. The router vendor produces multiple switches and routers and although the exploit has been confirmed for the first device by the Japanese manufacturer via JPCERT coordination, we've not been told whether it is the only model that was impacted in their overall lineup. We plan to publish a follow-up blog post with additional details and deeper coverage of the devices and exploit payloads once the vendors and CERTs feel confident that responsible disclosure, patching, and remediation have run their course. This activity derives from a Mirai botnet activity cluster that appears to primarily use the older JenX Mirai malware variant, made famous by the utilization of Grand Theft Auto to recruit Internet of Things devices to do the malicious bidding. There were many command and control domains identified that have overlaps in IP address resolution, as well as the exact same dates for infrastructure changes, that support this connection. Interestingly, many of those IP addresses have a limited number of C2 domain resolutions. It is common for domains to point to an IP that's hosting thousands of other domains but, in this case, many of the IPs were only pointing to a few different domains, typically all belonging to their infrastructure, with the first and last seen dates often changing at the same time for several domains. The C2 domains in this cluster can tell us a few things about the individual(s) behind this: The naming conventions often contained racial epithets, offensive language, or generally inappropriate terms. The JenX Mirai variant, like many Mirai variants, prints a unique hard-coded string to the console when compromising a machine. One of the associated JenX Mirai malware samples available on VirusTotal with that console string came from the C2 IP address 45.142.182[.]96, and called out to the domain iaxtpa[. Many of the C2 addresses and the C2 domain resolutions align with IPs that fall under the Classless Inter-Domain Routing block 5.181.80.0/24. Fig. There was additional evidence of links among some of the domains with IP resolution overlap, changing to different IPs at the exact times and dates. We discovered mentions of some of the C2 infrastructure from a deleted Telegram user in the notorious DDoS marketplace channel DStatCC. On October 11, 2023, the user asked other users in the chat to "Bin battle" him and referenced several C2 IP addresses and domains that match the activity cluster there. The user referred to the domain "Infectedchink[.]cat" as their "Old ICANN domain," and said that their current domains are "Running over OpenNIC," which is an alternative DNS network that provides access to domains not administered by the Internet Corporation for Assigned Names and Numbers. The websites listed in the post contained equally troubling naming conventions of "Shetoldmeshewas12" or "Shetoldmeshewas13" with varying top-level domains such as ". In late August 2023, a threat actor dump on PasteBin showed several of the C2 domains in this cluster, including "Infectedchink[.]cat". The C2 domains, IP addresses, hashes, and ports used are all aligned with the activity in this report. The Akamai SIRT is working with CISA/US-CERT, and JPCERT to notify vendors of the impacted devices. First and foremost, check for default credentials on IoT devices and change them if they exist. If you find devices believed to be vulnerable in your environments, isolate them if possible and investigate for potential compromise. The importance of changing a device's default password cannot be overstated.

This Cyber News was published on www.akamai.com. Publication date: Thu, 30 Nov 2023 22:30:05 +0000


Cyber News related to InfectedSlurs Botnet Spreads Mirai via Zero-Days

InfectedSlurs Botnet Spreads Mirai via Zero-Days - The payload targets routers and network video recorder devices with default admin credentials and installs Mirai variants when successful. Until November 9, 2023, the vulnerable devices being targeted were unknown. Since both the name and the version ...
1 year ago Akamai.com
New botnet malware exploits two zero-days to infect NVRs and routers - A new Mirai-based malware botnet named 'InfectedSlurs' has been exploiting two zero-day remote code execution vulnerabilities to infect routers and video recorder devices. The malware hijacks the devices to make them part of its DDoS swarm, ...
1 year ago Bleepingcomputer.com
QNAP VioStor NVR vulnerability actively exploited by malware botnet - A Mirai-based botnet named 'InfectedSlurs' is exploiting a remote code execution vulnerability in QNAP VioStor NVR devices to hijack and make them part of its DDoS swarm. The botnet was discovered by Akamai's Security Intelligence Response Team in ...
1 year ago Bleepingcomputer.com
Feds Disrupt Botnet Used by Russian APT28 Hackers - Federal law enforcement kicked Russian state hackers off a botnet comprising at least hundreds of home office and small office routers that had been pulled together by a cybercriminal group and co-opted by the state-sponsored spies. APT28, an ...
10 months ago Securityboulevard.com
InfectedSlurs Botnet Resurrects Mirai With Zero-Days - The Akamai Security Incident Response Team has detected increased activity targeting a rarely used TCP port across its global honeypots. The investigation conducted in late October 2023 revealed a specific HTTP exploit path, identifying two zero-day ...
1 year ago Infosecurity-magazine.com
Protecting Networks from Opportunistic Ivanti Pulse Secure Vulnerability Exploitation - Juniper Threat Labs has been monitoring exploitation attempts targeting an Ivanti Pulse Secure authentication bypass with remote code execution vulnerabilities. We have observed instances of Mirai botnet delivery in the wild, using this exploit with ...
7 months ago Blogs.juniper.net
Mirai-Based NoaBot Launches a DDoS Attack on Linux Devices - Hackers use the Mirai botnet to launch large-scale Distributed Denial of Service attacks by exploiting vulnerable Internet of Things devices. Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such ...
11 months ago Gbhackers.com
Apple fixes two new iOS zero-days in emergency updates - Apple released emergency security updates to fix two zero-day vulnerabilities exploited in attacks and impacting iPhone, iPad, and Mac devices, reaching 20 zero-days patched since the start of the year. "Apple is aware of a report that this issue may ...
1 year ago Bleepingcomputer.com
Stealthy KV-botnet hijacks SOHO routers and VPN devices - The Chinese state-sponsored APT hacking group known as Volt Typhoon has been linked to a sophisticated botnet named 'KV-botnet' since at least 2022 to attack SOHO routers in high-value targets. Volt Typhoon commonly targets routers, firewalls, and ...
1 year ago Bleepingcomputer.com
Massive 911 S5 Botnet Dismantled, Chinese Mastermind Arrested - The US Justice Department announced on Wednesday that the massive 911 S5 proxy botnet has been dismantled and its alleged administrator, a Chinese national, has been arrested. The Treasury Department earlier this week announced sanctions against ...
6 months ago Packetstormsecurity.com
Check Point released hotfix for actively exploited VPN zero-day - MUST READ. Check Point released hotfix for actively exploited VPN zero-day. Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Critical Fortinet's FortiClient EMS flaw actively exploited in the wild. Apple ...
6 months ago Securityaffairs.com
'Yet another Mirai-based botnet' is spreading an illicit cryptominer - A well-designed operation is using a version of the infamous Mirai malware to secretly distribute cryptocurrency mining software, researchers said Wednesday. Calling it NoaBot, researchers at Akamai said the campaign has been active for about a year, ...
11 months ago Therecord.media
"Largest Botnet Ever" Disrupted. 911 S5's Alleged Mastermind Arrested - A vast network of millions of compromised computers, being used to facilitate a wide range of cybercrime, has been disrupted by a multinational law enforcement operation. 35-year-old YunHe Wang, a dual citizen of China and St. Kitts and Nevis, is ...
6 months ago Tripwire.com
Days After Google, Apple Reveals Exploited Zero-Day in Browser Engine - Apple has patched an actively exploited zero-day bug in its WebKit browser engine for Safari. Actively Exploited Apple yesterday described the vulnerability as something an attacker could exploit to execute arbitrary code on affected systems. ...
11 months ago Darkreading.com
Ivanti Connect Secure zero-days now under mass exploitation - Two zero-day vulnerabilities affecting Ivanti's Connect Secure VPN and Policy Secure network access control appliances are now under mass exploitation. As discovered by threat intelligence company Volexity, which also first spotted the zero-days ...
11 months ago Bleepingcomputer.com
VMware fixes three zero-day bugs exploited at Pwn2Own 2024 - VMware fixed four security vulnerabilities in the Workstation and Fusion desktop hypervisors, including three zero-days exploited during the Pwn2Own Vancouver 2024 hacking contest. The most severe flaw patched today is CVE-2024-22267, a ...
7 months ago Bleepingcomputer.com
Zero-Trust Architecture in Modern Cybersecurity - Clearly, organizations need more robust cybersecurity protections in place, which is leading many to adopt a zero-trust architecture approach. Zero-trust flips conventional security on its head by shifting from an implicit trust model to one where ...
9 months ago Feeds.dzone.com
Zero Trust Security Framework: Implementing Trust in Business - The Zero Trust security framework is an effective approach to enhancing security by challenging traditional notions of trust. Zero Trust Security represents a significant shift in the cybersecurity approach, challenging the conventional concept of ...
11 months ago Securityzap.com
Apple fixes Safari WebKit zero-day flaw exploited at Pwn2Own - Apple has released security updates to fix a zero-day vulnerability in the Safari web browser exploited during this year's Pwn2Own Vancouver hacking competition. The company addressed the security flaw on systems running macOS Monterey and macOS ...
7 months ago Bleepingcomputer.com
Apple emergency updates fix recent zero-days on older iPhones - Apple has issued emergency security updates to backport patches for two actively exploited zero-day flaws to older iPhones and some Apple Watch and Apple TV models. The two vulnerabilities, now tracked as CVE-2023-42916 and CVE-2023-42917, were ...
1 year ago Bleepingcomputer.com
Samsung Galaxy S23 hacked two more times at Pwn2Own Toronto - Security researchers hacked the Samsung Galaxy S23 smartphone two more times on the second day of the Pwn2Own 2023 hacking competition in Toronto, Canada. The contestants also demoed zero-day bugs in printers, routers, smart speakers, surveillance ...
1 year ago Bleepingcomputer.com
Implementing Zero Trust and Mitigating Risk: ISC2 Courses to Support Your Development - PRESS RELEASE. Zero trust security is a proactive and robust approach to cybersecurity that addresses modern threats by continuously verifying and monitoring all network activities. While its implementation can be complex and resource-intensive, the ...
5 months ago Darkreading.com
New ATM Malware family emerged in the threat landscape - Threat actors may have exploited a zero-day in older iPhones, Apple warns. Microsoft fixed two zero-day bugs exploited in malware attacks. Threat actors actively exploit JetBrains TeamCity flaws to deliver malware. Raspberry Robin spotted using two ...
6 months ago Securityaffairs.com
Feds go Fancy Bear hunting, take down Russia's GRU botnet The Register - The US government today said it disrupted a botnet that Russia's GRU military intelligence unit used for phishing expeditions, spying, credential harvesting, and data theft against American and foreign governments and other strategic targets. Moobot ...
10 months ago Go.theregister.com
Volt Typhoon-Linked SOHO Botnet Infects Multiple US Gov't Entities - Researchers have discovered an Internet of Things botnet linked with attacks against multiple US government and communications organizations. It comes built with a series of stealth mechanisms and the ability to spread further into local area ...
1 year ago Darkreading.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)