A variant of the notorious Mirai botnet has been identified exploiting a recently disclosed vulnerability in Four-Faith industrial routers, with operations reportedly commencing in early November 2024. The primary aim of this botnet is to facilitate distributed denial-of-service (DDoS) attacks, significantly disrupting target networks.
This particular botnet is characterized by around 15,000 active IP addresses, concentrated largely in countries such as China, Iran, Russia, Turkey, and the United States. The infections are primarily achieved through a combination of over 20 known security vulnerabilities and the exploitation of weak Telnet credentials.
According to QiAnXin XLab, the botnet, referenced as “gayfemboy” due to the presence of an offensive term in its source code, has been active since February 2024. The researchers noted that as of November 9, 2024, the malware began taking advantage of a zero-day vulnerability specific to industrial routers produced by Four-Faith, allowing for the malware’s propagation.
The vulnerability at the center of these attacks is identified as CVE-2024-12856, which has a CVSS score of 7.2. This OS command injection flaw primarily targets the F3x24 and F3x36 router models by exploiting unchanged default factory credentials. Reports from VulnCheck indicate that the vulnerability has already been exploited in real-world attacks to deploy reverse shells and Mirai-like payloads on affected devices.
The range of vulnerabilities exploited by the botnet is extensive and includes well-known issues such as CVE-2013-3307, CVE-2013-7471, and several others through CVE listings up to CVE-2024-8957. This extensive exploitation enhances the botnet’s capacity to extend its reach and operational scale.
Once deployed, the malware employs stealth techniques to conceal its activities, while utilizing a Mirai-based command and control framework. This enables it to scan for additional vulnerable units, update its own software, and orchestrate DDoS attacks against selected targets. DDoS activities linked to this botnet have reportedly reached new heights in October and November 2024, regularly directing traffic spikes around 100 Gbps toward hundreds of different entities for periods lasting between 10 and 30 seconds.
This development follows recent warnings from Juniper Networks about malicious actors targeting Session Smart Router products with default passwords to deploy Mirai malware. Additionally, Akamai has highlighted similar infections that exploit a remote code execution vulnerability in DigiEver DVRs. The architecture of this botnet stands to pose significant threats across a variety of sectors, raising alarm bells among cybersecurity experts.
As articulated by XLab researchers, the DDoS attack phenomena represent a formidable challenge in cybersecurity, demonstrating diverse attack strategies and evolving techniques that can inflict severe damage on enterprises, government institutions, and end users alike.
In a parallel vulnerability context, threat actors have been seen exploiting insecure and improperly configured PHP servers, particularly with CVEs involving remote execution flaws, to deploy cryptocurrency miners, underscoring the broad spectrum of cyber threats facing organizations today.
