>
Zerobot, a botnet that infects various Internet of Things (IoT) devices and uses them for distributed denial of service (DDoS) attacks, has been updated with new features and new infection mechanisms.
A report (opens in new tab) from Microsoft’s security team claims that the malware used to integrate IoT devices into the botnet has reached version 1.1.
With this upgrade, Zerobot can now take advantage of flaws in Apache and Apache Spark to compromise various endpoints and later use them in attacks. The errors used to deploy Zerobot are tracked as CVE-2021-42013 and CVE-2022-33891.
Abusing Apache errors
CVE-2021-42013 is actually an upgrade to the previous fix, designed to patch CVE-2021-41773 in Apache HTTP Server 2.4.50.
Because the latter was insufficient, threat actors could use a path traversal attack to map URLs to files outside directories configured by Alias-like directives, the cve.mitre.org site explains. “If files outside of these directories are not protected by the usual default “Everything required required” configuration, these requests may succeed. If CGI scripting is also enabled for these alias paths, it may allow remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.”
CVE-2022-33891, on the other hand, affects the Apache Spark user interface and allows attackers to perform impersonation attacks by specifying an arbitrary username, and ultimately allows attackers to execute arbitrary shell commands. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1, explains cve.mitre.org.
The new version of Zerobot also comes with new DDoS attack capabilities, Microsoft explains. These capabilities allow threat actors to target different sources and make them inaccessible. In almost every attack, the report states, the destination port can be modified, allowing attackers who purchase the malware to customize the attack as they see fit.