TP-Link and NR routers targeted by worrying new botnet
- Researchers found that multiple vulnerable endpoints were targeted by a new Mirai variant
- The endpoints are included in a botnet and used for DDoS attacks
- The vulnerabilities used in the attack are years old
Mirai, a notorious botnet that targets Internet of Things (IoT) devices for use in Distributed Denial of Service (DDoS) attacks, has acquired a new variant that now targets multiple vulnerable devices, experts warn.
The malware reportedly targets DigiEver DS-2105 Pro NVRs, multiple TP-Link routers with outdated firmware, and Teltonika RUT9XX routers. For DigiEver, Mirai is exploiting an unpatched RCE (Remote Code Execution) vulnerability that doesn’t even have a tracking number.
For TP-Link, Mirai exploits CVE-2023-1389, and for Teltonika it exploits CVE-2018-17532. It’s worth noting that the TP-Link error is a year old, while the Teltonika error is about six years old. This means that the crooks are mainly targeting organizations with poor cybersecurity and patching practices.
Mirai is an active threat
The campaign most likely started in September or October 2024 and, according to Akamai researchers, uses XOR and ChaCha20 encryption and targets various system architectures, including ARM, MIPS, and x86.
“While the use of complex decryption methods is not new, it indicates evolving tactics, techniques and procedures among Mirai-based botnet operators,” Akamai said.
“This is especially notable because many Mirai-based botnets still rely on the original string obfuscation logic from recycled code that was included in the original release of the Mirai malware source code.”
Juniper Research experts recently warned that Mirai operators were looking for no-compromise Session Smart routers.
“On Wednesday, December 11, 2024, several customers reported suspicious behavior on their Session Smart Network (SSN) platforms,” Juniper said in its security advisory.
Researchers also recently reported that cybercriminals exploited a flaw in the AVM1203, a surveillance camera model designed and sold by Taiwanese manufacturer AVTECH, to hijack its endpoints and assimilate them into the Mirai botnet.
Via BleepingComputer