Picus Labs has enriched the Picus Threat Library with new simulations that replicate vulnerability exploitation techniques leveraged by Mirai, a botnet family active since 2016. Mirai turns Linux based, internet connected devices into remotely controlled bots that attackers can coordinate for large scale network abuse, most notably distributed denial of service attacks. The malware’s prime targets are IoT and SOHO gear such as IP cameras, DVRs, home and enterprise routers, switches, and network security appliances including SSL VPN gateways. To maximize reach, Mirai variants are compiled for multiple CPU architectures including x86, ARM, MIPS, PowerPC, and SPARC, allowing the same campaign to conscript a wide variety of devices across consumer and enterprise environments.
Mirai spreads through two main avenues: mass scanning for exposed services and opportunistic exploitation. Classic strains brute force default or weak Telnet and SSH credentials, while modern offshoots add web interface exploits and known vulnerabilities in popular firmware to gain remote code execution. Once a device is compromised, the bot reports to command and control infrastructure, disables competing malware, and awaits instructions to launch volumetric or application layer DDoS attacks using methods such as UDP floods, TCP SYN floods, HTTP GET floods, and GRE amplification. Because many IoT devices run outdated firmware and ship with default credentials, they offer attackers persistent footholds and significant aggregate bandwidth for amplificatio
In the last month, Unit 42 researchers discovered attacks that exploited a variety of vulnerabilities given in the following table:
|
Vulnerability |
Vulnerability Type |
Affected Product |
CVSS 3.1 Score |
|
Visualdoor |
Remote Command Injection |
SonicWall “Virtual Office” SSL-VPN |
9.8 Critical |
|
CVE-2020-25506 |
Remote Command Injection |
D-Link DNS-320 Firewall |
9.8 Critical |
|
CVE-2021-27561 |
Remote Code Execution |
Yealink Device Management |
9.8 Critical |
|
CVE-2021-22502 |
Remote Code Execution |
Micro Focus Operation Bridge Reporter (OBR) |
9.8 Critical |
|
CVE-2020-26919 |
Remote Code Execution |
NETGEAR ProSafe JGS516PE Switch |
9.8 Critical |
Upon successful exploitation of one of these vulnerabilities, the attackers attempt to download a malicious shell script by invoking the wget utility on the target device. The downloaded shell script then downloads multiple Mirai binaries that have been compiled for various architectures and runs them one by one.
Picus Labs Red Team examined these vulnerabilities and added the following threats to Picus Threat Library:
|
Picus ID |
Threat Name |
CVE |
|
373908 |
SonicWall SSL VPN Server Remote Code Execution Vulnerability |
|
|
470582 |
D-Link DNS320 Firewall Remote Code Execution (RCE) Vulnerability Variant-1 |
CVE-2020-25506 |
|
604066 |
Yealink Device Management Remote Code Execution (RCE) Vulnerability Variant-1 |
CVE-2021-27561 |
|
490108 |
Micro Focus Operations Bridge Manager OS Command Injection Variant-2 |
CVE-2021-22502 |
|
314732 |
Micro Focus Operations Bridge Manager OS Command Injection Variant-1 |
CVE-2021-22502 |
|
543188 |
Netgear ProSAFE Plus Remote Code Execution (RCE) Vulnerability Variant-1 |
CVE-2020-26919 |
Other Threats of Mirai in Picus Threat Library
Picus Threat Library consists of 31 threats of the MuddyWater threat group, including:
References
[1] https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/