.svg)
.svg)
Picus Threat Library Updated for Vulnerability Exploitation Attacks Leveraged by Mirai Botnet Malware
Picus Labs has updated the Picus Threat Library with new vulnerability exploitation attacks leveraged by Mirai malware which has been active throughout 2016. Mirai is a botnet malware that transforms Linux-based networked devices into remotely managed bots that can be used in large-scale network attacks as part of a botnet. Its main targets are IoT devices such as IP cameras, routers, switches, and network security devices such as SSL VPN solutions. Mirai variants are designed for different CPU architectures, such as x86, ARM, MIPS, PowerPC and SPARC.
New Mirai Campaign Targeting Network Devices
In the last month, Unit 42 researchers discovered attacks that exploited a variety of vulnerabilities given in the following table:
|
Vulnerability |
Vulnerability Type |
Affected Product |
CVSS 3.1 Score |
|
Visualdoor |
Remote Command Injection |
SonicWall “Virtual Office” SSL-VPN |
9.8 Critical |
|
CVE-2020-25506 |
Remote Command Injection |
D-Link DNS-320 Firewall |
9.8 Critical |
|
CVE-2021-27561 |
Remote Code Execution |
Yealink Device Management |
9.8 Critical |
|
CVE-2021-22502 |
Remote Code Execution |
Micro Focus Operation Bridge Reporter (OBR) |
9.8 Critical |
|
CVE-2020-26919 |
Remote Code Execution |
NETGEAR ProSafe JGS516PE Switch |
9.8 Critical |
Upon successful exploitation of one of these vulnerabilities, the attackers attempt to download a malicious shell script by invoking the wget utility on the target device. The downloaded shell script then downloads multiple Mirai binaries that have been compiled for various architectures and runs them one by one.
Picus Labs Red Team examined these vulnerabilities and added the following threats to Picus Threat Library:
|
Picus ID |
Threat Name |
CVE |
|
373908 |
SonicWall SSL VPN Server Remote Code Execution Vulnerability |
|
|
470582 |
D-Link DNS320 Firewall Remote Code Execution (RCE) Vulnerability Variant-1 |
CVE-2020-25506 |
|
604066 |
Yealink Device Management Remote Code Execution (RCE) Vulnerability Variant-1 |
CVE-2021-27561 |
|
490108 |
Micro Focus Operations Bridge Manager OS Command Injection Variant-2 |
CVE-2021-22502 |
|
314732 |
Micro Focus Operations Bridge Manager OS Command Injection Variant-1 |
CVE-2021-22502 |
|
543188 |
Netgear ProSAFE Plus Remote Code Execution (RCE) Vulnerability Variant-1 |
CVE-2020-26919 |
Other Threats of Mirai in Picus Threat Library
Picus Threat Library consists of 31 threats of the MuddyWater threat group, including:
- Mirai Botnet .ELF File Download for ARM Architecture
- Mirai Botnet .ELF File Download for Power PC Architecture
- Mirai Botnet .ELF File Download for MIPS Architecture
- Mirai Botnet .ELF File Download for SPARC Architecture
- Mirai Botnet .ELF File Download for Intel 80386 Architecture
- Mirai Botnet .EXE File Download for Windows Operating System
References
[1] https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/
