>
Hackers use a known vulnerability in the Cacti device monitoring tool to install all kinds of malware (opens in new tab) on vulnerable endpoints, researchers argue.
Cybersecurity researchers at The Shadowserver Foundation saw multiple attempts to deliver various malware via the critical command injection vulnerability, tracked as CVE-2022-46169.
Exploiting the flaw, which has a severity score of 9.8 (critical), threat actors were observed deploying Mirai malware, as well as IRC botnet. Some threat actors were seen simply checking for the vulnerability, possibly in preparation for future attacks.
Thousands of unpatched copies
Mirai is a malware that primarily targets smart home devices running Linux, such as IP cameras and home routers, assimilating them into the Mirai botnet. The botnet can later be used for Distributed Denial of Service (DDoS) attacks, which can disrupt operations and shut down websites.
The IRC botnet was seen to open a reverse shell on the host and scan the ports of the endpoint.
In total, about 10 exploitation attempts were seen in the past week.
A Censys report claims that there are more than 6,000 unpatched Cacti instances reachable over the Internet, while adding that more than 1,600 are unpatched and thus vulnerable.
“Censys has observed 6,427 hosts on the internet running some version of Cacti. Unfortunately, we can only see the exact active software version when a specific theme (sunrise) is enabled on the web application,” said Censys. That said, it found 1,637 hosts reachable over the internet vulnerable to CVE-2022-46169, the majority (465) with version 1.1.38, which was released more than a year ago, it added.
In addition, Censys observed only 26 instances with an updated version that was not vulnerable.
As usual, the best way to protect your devices from such attacks is to ensure that all software is running the latest version.
Through: Beeping computer (opens in new tab)