A recent malware campaign has emerged, exploiting two zero-day vulnerabilities that enable remote code execution (RCE) to integrate routers and video recording devices into a Mirai-based distributed denial-of-service (DDoS) botnet.
According to an advisory from Akamai, “The payload specifically targets routers and network video recorders (NVRs) with default admin credentials, subsequently installing Mirai variants upon successful exploitation.” The specifics regarding these vulnerabilities remain undisclosed for the time being to allow the affected vendors to release necessary patches and to thwart further misuse by malicious actors. It is anticipated that fixes for one of the vulnerabilities will be available next month.
This wave of attacks was initially detected by Akamai in late October 2023 through their honeypots. Currently, the identities of the attackers are unknown.
Dubbed InfectedSlurs, this botnet derives its name from the offensive language utilized in its command-and-control (C2) servers and hard-coded strings, and is identified as a variant of JenX Mirai malware, first noted in January 2018. Akamai has also identified additional malware samples linked to hailBot, a Mirai variant that surfaced in September 2023, as per an analysis by NSFOCUS.
The hailBot, derived from Mirai’s source code, has propagated through the exploitation of vulnerabilities and the use of weak passwords. A significant feature of this malware is its ability to execute commands for unauthorized data access and distribution.
Akamai researchers previously detailed a web shell named wso-ng, described as an advanced version of a known web shell that conceals its login interface behind a 404 error page while integrating with legitimate tools like VirusTotal. This allows attackers to extract metadata for subsequent lateral movement and to search for Redis database connections, thereby gaining unauthorized access to sensitive data.
Microsoft highlighted the implications of web shells, emphasizing their capacity to enable attackers to execute commands on compromised servers, facilitating a range of malicious activities including data theft and lateral movement within organizations.
Additionally, the ongoing risk posed by cybercriminals has been reflected in the use of compromised legitimate domains for command-and-control functions. Infoblox has reported widespread attacks via such domains, redirecting users to intermediary C2 and domain generation algorithm (DGA) domains, attributed to a threat actor named VexTrio.
Update
Akamai is warning that the operators behind the InfectedSlurs botnet are exploiting critical vulnerabilities in Future X Communications (FXC) AE1021 and AE1021PE outlet wall routers, as well as QNAP VioStor NVR appliances. These vulnerabilities, categorized with a CVSS score of 8.8, pose serious risks due to their operating system command injection nature, allowing authenticated attackers to execute code remotely.
The implications of such vulnerabilities are profound, particularly for IoT devices, which are frequently unknowingly conscripted into various malicious efforts. Akamai researchers are urging users to change default passwords during setup to prevent becoming unwitting participants in DDoS attacks or cryptomining operations.
The dynamics of these attacks underscore the importance of cybersecurity vigilance, as consumers may remain unaware that credentials can be altered on IoT devices, potentially exposing them to significant security breaches.
