A new Mirai-based malware botnet named 'InfectedSlurs' has been exploiting two zero-day remote code execution vulnerabilities to infect routers and video recorder devices. The malware hijacks the devices to make them part of its DDoS swarm, presumably rented for profit. The discovery of 'InfectedSlurs' comes from Akamai, who first spotted it on its honeypots in late October 2023. The botnet's initial activity dates back to late 2022. The cybersecurity company reports that the impacted vendors haven't patched the two exploited flaws yet; hence, details about them have been reserved for now. Akamai's Security Intelligence Response Team first discovered the botnet in October 2023, noticing unusual activity on a rarely used TCP port targeting their honeypots. The activity concerned low-frequency probes attempting authentication via POST requests, followed by a command injection attempt. Based on the data they held, SIRT analysts conducted an internet-wide scan and discovered that the targeted devices were linked to a specific NVR manufacturer, not named in the report for security reasons. The botnet leverages an undocumented RCE flaw to gain unauthorized access to the device. "The SIRT did a quick check for CVEs known to impact this vendor's NVR devices and was surprised to find that we were looking at a new zero-day exploit being actively leveraged in the wild," reads Akamai's report. Further examination showed that the malware also uses default credentials documented in the vendor's manuals for multiple NVR products to install a bot client and perform other malicious activities. Looking closer into the campaign, Akamai discovered that the botnet also targets a wireless LAN router popular among home users and hotels, which suffers from another zero-day RCE flaw leveraged by the malware. The unnamed vendor of the router device promised to release security updates that address the problem in December 2023. The user also posted screenshots showing nearly ten thousand bots in the Telnet protocol and another 12,000 on specific device types/brands referred to as "Vacron," "Ntel," and "UTT-Bots.". Akamai says that analysis of the bot samples it caught in October 2023 shows little code modifications compared to the original Mirai botnet, so it's a self-propagating DDoS tool supporting attacks using SYN, UDP, and HTTP GET request floods. Given the lack of a patch for the affected devices, rebooting your NVR and rooter devices should temporarily disrupt the botnet. CISA warns of actively exploited Juniper pre-auth RCE exploit chain. HelloKitty ransomware now exploiting Apache ActiveMQ flaw in attacks. Ransomware gangs now exploiting critical TeamCity RCE flaw. MySQL servers targeted by 'Ddostf' DDoS-as-a-Service botnet.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000