VTA-00435 – ‘V3G4’ The New Variant of Mirai Botnet Targeting Linux Devices
A new variant of the Mirai botnet has been discovered that utilizes several security vulnerabilities to infect Linux and IoT devices. Palo Alto Networks Unit 42 identified the new version, dubbed V3G4, during the second half of 2022. Three separate campaigns were identified that are believed to have been conducted by the same threat actor. Once a vulnerable device is compromised, the botnet will take control of the device, and it will become a part of the botnet. The threat actor can then use the infected device to conduct further attacks, such as distributed denial-of-service (DDoS) attacks.
The attacks mainly target servers and networking devices running Linux. The adversary leverages up to 13 different flaws that could lead to remote code execution (RCE). Some of the significant vulnerabilities include critical flaws in Atlassian Confluence Server and Data Center, DrayTek Vigor routers, Airspan AirSpot, and Geutebruck IP cameras, among others. The oldest flaw on the list is CVE-2012-4869, an RCE bug in FreePBX.
Once the botnet successfully compromises a device, it retrieves the botnet payload from a remote server using wget and cURL utilities. The botnet checks to see if it’s already running on the infected machine and terminates other competing botnets such as Mozi, Okami, and Yakuza.
V3G4 also has a set of default or weak login credentials that it uses to carry out brute-force attacks through Telnet/SSH and proliferate to other machines. It establishes contact with a command-and-control server to await commands for launching DDoS attacks against targets via UDP, TCP, and HTTP protocols.
The vulnerabilities exploited by V3G4 are less complex than those observed in previous variants, but they maintain a critical security impact that can lead to remote code execution. The researchers at Unit 42 believe that this new variant is a significant threat to Linux and IoT devices, and they urge organizations to patch the vulnerabilities that the botnet leverages.
To recapitulate, the V3G4 variant of the Mirai botnet is a significant threat to Linux and IoT devices. It leverages up to 13 vulnerabilities that could lead to remote code execution and can be used to launch DDoS attacks against targets. Organizations should patch the vulnerabilities that the botnet exploits to protect their devices from compromise.
IoT, Server OS
Command and Control, Execution, Impact, Initial Access, Persistence
Exploit Public-Facing Application, Brute Force, Remote Services, Masquerading, Resource Exhaustion
Indicator of Compromise:
SuperPRO’s Threat Countermeasures Procedures:
1) Implement strong passwords
2) Enable multi-factor authentication
3) Ensure that the devices are up to date
Contributed by: Sazcomigo