The Zerobot DDoS botnet has undergone significant updates, enhancing its capacity to target a broader range of internet-connected devices and expand its network. Microsoft Threat Intelligence Center (MSTIC) is closely monitoring this evolving threat, referring to it as DEV-1061, which encompasses unidentified, emerging, or developing activity clusters.
First reported by Fortinet FortiGuard Labs, Zerobot is built in Go and spread through vulnerabilities found in web applications and Internet of Things (IoT) devices, including firewalls, routers, and cameras. Microsoft researchers noted that the latest iteration adds new functionalities, including the ability to exploit vulnerabilities in Apache servers (CVE-2021-42013) and Apache Spark (CVE-2022-33891), alongside sophisticated DDoS attack capabilities.
Operating under the guise of ZeroStresser, the malware functions as a DDoS-for-hire service available to other cybercriminals, with advertisements circulating across various social media platforms. Notably, the U.S. Federal Bureau of Investigation (FBI) recently seized 48 domains associated with Zerobot, including zerostresser[.]com, which were linked to illicit DDoS services aimed at paying customers.
The current version of Zerobot has been observed not only targeting unpatched devices but also employing brute-force attacks over SSH and Telnet on ports 23 and 2323 to further propagate its reach. This underscores the botnet’s ability to exploit both known and unknown vulnerabilities effectively.
Among the newly exploited vulnerabilities, Zerobot 1.1 includes several significant flaws, such as command injection vulnerabilities in various devices, all possessing high CVSS scores, indicating a severe risk for affected systems. Upon successful infection, Zerobot downloads a binary designated “zero,” tailored for specific CPU architectures, which enables the malware to self-propagate to other vulnerable systems exposed online.
Furthermore, Zerobot is said to scan for and compromise devices with vulnerabilities not integrated into the existing malware executable, exemplified by CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers. The latest version has also introduced seven new DDoS attack methodologies leveraging protocols such as UDP, ICMP, and TCP, highlighting the malware’s continuous evolution and rapid development of new capabilities.
Microsoft has emphasized that the rise of malware as a service in the cyber landscape has industrialized attacks, rendering it easier for cybercriminals to acquire and utilize sophisticated tools for their operations. This trend raises significant concerns regarding how businesses manage their cybersecurity strategies.
Addressing the emergent threat posed by Zerobot necessitates a multi-faceted approach, focusing on implementing robust security measures to mitigate vulnerabilities and prevent compromise. Understanding the tactics detailed in the MITRE ATT&CK framework can help businesses better prepare for potential threats, incorporating methodologies around initial access, persistence, and privilege escalation to strengthen defenses against such attacks.
NOTE: This discussion of Zerobot pertains specifically to a botnet primarily disseminating through IoT and web application vulnerabilities and does not relate to the chatbot ZeroBot.ai.
