A new Mirai botnet variant has evolved to exploit 13 different vulnerabilities found on routers, surveillance products and other internet of things (IoT) devices.
The new Mirai variant exploits 13 unique exploits, most of them used by attackers in previous Mirai-related malware attacks. However, this is the first case that stands out where Mirai leverages all 13 in a recent attack campaign, according to a Trend Micro report.
Trend Micro confirmed three of the exploits relate to bugs in the web development format ThinkPHP and specific Huawei and Linksys routers. The other 10 vulnerabilities were found inside exploit_worker().
Two of the 13 vulnerabilities not used in previous Mirai campaigns, but used in the latest attacks, include ThinkPHP 5.0.23/5.1.31 RCE and Linksys RCE vulnerabilities.
The full list of the 13 exploits (along with relevant attacks) included in the Trend Micro report include:
- Vacron NVR CVE (Omni)
- CVE-2018-10561, CVE-2018-10562 (Omni, Mirai scanning)
- CVE-2015-2051 (Omni, Hakai)
- CCTV-DVR RCE (Omni, Yowai)
- CVE-2014-8361 (Omni)
- UPnP SOAP TelnetD command execution (Omni)
- Eir WAN side remote command injection (Omni)
- Netgear Setup.cgi RCE (Omni)
- CVE-2016-6277 (Omni, VPNFilter infection)
- MVPower DVR shell command execution (Omni)
- CVE-2017-17215 (Omni, Satori, Miori)
- Linksys RCE (TheMoon)
- ThinkPHP 5.0.23/5.1.31 RCE (Hakai, Yowai)
Readers may also note that many of these vulnerabilities are older and had patches available for quite some time. This speaks to the challenge organizations face in keeping IoT related devices up to date to prevent similar exploits.