Security News

The US government's Cybersecurity and Infrastructure Security Agency is adding three more flaws to its list of known-exploited vulnerabilities, including one involving TP-Link routers that is being targeted by the operators of the notorious Mirai botnet. Trend Micro's Zero Day Initiative threat-hunting group early last week wrote in a report that in mid-April miscreants behind the please-can't-it-just-die Mirai botnet were beginning to exploit the flaw primarily by attacking devices in Eastern Europe, though the campaign soon expanded beyond that region.

The Mirai malware botnet is actively exploiting a TP-Link Archer A21 WiFi router vulnerability tracked as CVE-2023-1389 to incorporate devices into DDoS swarms. Researchers first abused the flaw during the Pwn2Own Toronto hacking event in December 2022, where two separate hacking teams breached the device using different pathways.

A new variant of the notorious Mirai botnet has been found leveraging several security vulnerabilities to propagate itself to Linux and IoT devices. "Once the vulnerable devices are compromised, they will be fully controlled by attackers and become a part of the botnet," Unit 42 researchers said.

A new Mirai botnet variant tracked as 'V3G4' targets 13 vulnerabilities in Linux-based servers and IoT devices to use in DDoS attacks. The malware spreads by brute-forcing weak or default telnet/SSH credentials and exploiting hardcoded flaws to perform remote code execution on the target devices.

A new version of the Medusa DDoS botnet, based on Mirai code, has appeared in the wild, featuring a ransomware module and a Telnet brute-forcer. Medusa is an old malware strain being advertised in darknet markets since 2015, which later added HTTP-based DDoS capabilities in 2017.

Web infrastructure and security company Cloudflare disclosed this week that it halted a 2.5 Tbps distributed denial-of-service attack launched by a Mirai botnet. Characterizing it as a "Multi-vector attack consisting of UDP and TCP floods," researcher Omer Yoachimik said the DDoS attack targeted the Minecraft server Wynncraft in Q3 2022.

A variant of the Mirai botnet known as MooBot is co-opting vulnerable D-Link devices into an army of denial-of-service bots by taking advantage of multiple exploits. "If the devices are compromised, they will be fully controlled by attackers, who could utilize those devices to conduct further attacks such as distributed denial-of-service attacks," Palo Alto Networks Unit 42 said in a Tuesday report.

Recently reported VMware bugs are being used by hackers who are focused on using them to deliver Mirai denial-of-service malware and exploit the Log4Shell vulnerability. Security researchers at Barracuda discovered that attempts were made to exploit the recent vulnerabilities CVE-2022-22954 and CVE-2022-22960, both reported last month.

A threat group that pursues crypto mining and distributed denial-of-service attacks has been linked to a new botnet called Enemybot, which has been discovered enslaving routers and Internet of Things devices since last month. "This botnet is mainly derived from Gafgyt's source code but has been observed to borrow several modules from Mirai's original source code," Fortinet FortiGuard Labs said in a report this week.

The recently disclosed critical Spring4Shell vulnerability is being actively exploited by threat actors to execute the Mirai botnet malware, particularly in the Singapore region since the start of April 2022. The development comes as the U.S. Cybersecurity and Infrastructure Security Agency earlier this week added the Spring4Shell vulnerability to its Known Exploited Vulnerabilities Catalog based on "Evidence of active exploitation."