of zero robot The DDoS botnet has undergone a major update that expands its ability to target more internet-connected devices and expand its network.
The Microsoft Threat Intelligence Center (MSTIC) is tracking an ongoing threat named DEV-1061. This is the designation of an unknown, emerging, or developing activity cluster.
First documented earlier this month by Fortinet FortiGuard Labs, Zerobot is Go-based malware that spreads through vulnerabilities in web applications and IoT devices such as firewalls, routers, and cameras.
“The latest distributions of Zerobot include additional features such as exploiting the Apache and Apache Spark vulnerabilities (CVE-2021-42013 and CVE-2022-33891, respectively) and new DDoS attack capabilities,” said Microsoft. researchers said.
Also known as ZeroStresser by its operators, the malware is advertised as a botnet for sale on various social media networks and offered as a DDoS service to other criminals.
According to Microsoft, one domain attached to Zerobot – zerostresser[.]com – is one of 48 domains seized this month by the US Federal Bureau of Investigation (FBI) for offering DDoS attack capabilities to paying customers.
The latest version of Zerobot discovered by Microsoft not only targets unpatched and improperly secured devices, but also attempts brute force attacks via SSH and Telnet on ports 23 and 2323. , will try to spread to other hosts.
Here is a list of newly added known flaws exploited by Zerobot 1.1:
- CVE-2017-17105 (CVSS Score: 9.8) – Zivif PR115-204-P-RS Command Injection Vulnerability
- CVE-2019-10655 (CVSS Score: 9.8) – Unauthenticated Remote Code Execution Vulnerability in Grandstream GAC2500, GXP2200, GVC3202, GXV3275 and GXV3240
- CVE-2020-25223 (CVSS Score: 9.8) – Sophos SG UTM WebAdmin Remote Code Execution Vulnerability
- CVE-2021-42013 (CVSS Score: 9.8) – Apache HTTP Server Remote Code Execution Vulnerability
- CVE-2022-31137 (CVSS Score: 9.8) – Roxy-WI Remote Code Execution Vulnerability
- CVE-2022-33891 (CVSS Score: 8.8) – Unauthenticated Command Injection Vulnerability in Apache Spark
- ZSL-2022-5717 (CVSS Score: N/A) – MiniDVBLinux Remote Root Command Injection Vulnerability
Upon successful infection, the attack chain downloads a binary named “Zero” for a specific CPU architecture, allowing it to self-propagate to more susceptible systems published online.
Additionally, Zerobot can scan and compromise devices with known vulnerabilities not included in the malware executable, such as CVE-2022-30023, a command injection vulnerability in the Tenda GPON AC1200 router. said to proliferate.
Zerobot 1.1 also incorporates seven new DDoS attack techniques that utilize protocols such as UDP, ICMP, and TCP, demonstrating “continuous evolution and rapid addition of new features.”
“The shift to malware-as-a-service in the cyber economy has industrialized attacks, allowing attackers to purchase and use malware, establish and maintain access to compromised networks, and use off-the-shelf tools. It has become easier to carry out attacks using the ,” said the giant.
