Cybersecurity researchers have discovered a new campaign to introduce additional endpoints into the Mirai botnet.
According to a blog post from the Akamai Security Intelligence Response Team (SIRT), unknown threat actors have discovered and are currently exploiting two new zero-day vulnerabilities to amplify the infamous DDoS botnet.
Since the zero-days have yet to receive a patch, Akamai was careful not to reveal too much information and point more hackers in the right direction.
Weak references
“While this information is limited, we felt it was our responsibility to alert the community to the continued exploitation of these CVEs in the wild. There is a fine line between responsibly releasing information to help defenders and oversharing information that could enable further exploitation by hordes of threat actors,” the company points out.
All the researchers said is that the attackers found the flaws in at least one model of a network video recorder, as well as in an “outlet-based wireless LAN router built for hotels and residential applications.” The manufacturer is a Japanese company that “produces multiple switches and routers”.
As for the specifics of the vulnerability itself, it was found in a “very common” feature, leading researchers to speculate that other router models sold by the same manufacturer could also have it.
The flaws provide remote code execution (RCE) capabilities, and while these are currently used to drop Mirai, they could be used for virtually any other malware. The great thing is that in order to exploit the flaw, the attacker first needs some form of authentication. That’s why the attackers seem to be going for endpoints with weak or non-existent credentials. Those with passwords such as ‘password’ or ‘password1’ are the first to be compromised.
Akamai notified both manufacturers of the discovered flaws, and while one acknowledged the findings and promised a patch next month, the other remained silent. The status of that patch is currently unknown.