IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits

This post is also available in: 日本語 (Japanese)

Executive Summary

Since March 2023, Unit 42 researchers have observed threat actors leveraging several IoT vulnerabilities to spread a variant of the Mirai botnet. The vulnerabilities exploited include those listed in the following table:

The threat actors have the ability to gain complete control over the compromised devices, integrating those devices into the botnet. These devices are then used to execute additional attacks, including distributed denial-of-service (DDoS) attacks.

Palo Alto Networks Next-Generation Firewall customers receive protection through Cloud-Delivered Security Services such as Internet of Things (IoT) Security, Advanced Threat Prevention, WildFire and Advanced URL Filtering, which can help detect and block the exploit traffic and malware.

Campaign Analysis

On March 14, 2023, Unit 42 researchers observed some remote command execution exploit traffic from our internal threat-hunting system, originating from 185.44.81[.]114. The threat actor tried to download a shell script downloader as a file named y from hxxp://zvub[.]us/.

If executed, the shell script downloader would download and execute the following bot clients to accommodate different Linux architectures:

• hxxp://185.225.74[.]251/armv4l
• hxxp://185.225.74[.]251/armv5l
• hxxp://185.225.74[.]251/armv6l
• hxxp://185.225.74[.]251/armv7l
• hxxp://185.225.74[.]251/mips
• hxxp://185.225.74[.]251/mipsel
• hxxp://185.225.74[.]251/sh4
• hxxp://185.225.74[.]251/x86_64
• hxxp://185.225.74[.]251/i686
• hxxp://185.225.74[.]251/i586
• hxxp://185.225.74[.]251/arc
• hxxp://185.225.74[.]251/m68k
• hxxp://185.225.74[.]251/sparc

After executing the bot client, the shell script downloader will delete the client executable file to cover its tracks.

Unit 42 researchers conducted an analysis of the malware host domain and found out there are two IP addresses corresponding to the domain zvub[.]us:

• 185.44.81[.]114 (From Aug. 15, 2022, to March 24, 2023)
• 185.225.74[.]251 (After March 25, 2023)

Upon conducting a thorough retrospective analysis, we noticed telnet brute force attempts from 185.44.81[.]114 since Oct. 6, 2022, and attempts to exploit multiple vulnerabilities since March 14, 2023.

Unit 42 researchers also noticed another campaign from source IP 193.32.162[.]189 since April 11, 2023, that delivers the same shell downloader from zvub[.]us, as shown in Figure 1. Based on our analysis, we believe that the same threat actor operated these two campaigns for the following reasons:

• The two campaigns share the same infrastructure.
• The botnet samples are almost identical.

Figure 2 is a diagram illustrating the campaign overview.

Malware Analysis

Based on behavior and patterns Unit 42 researchers observed while analyzing the downloaded botnet client samples, we believe the sample is a variant of the Mirai botnet.

Upon execution, the botnet client prints listening tun0 to the console. The malware also contains a function that ensures only one instance of this malware runs on the same device. If a botnet process already exists, the botnet client will terminate the current running process and start a new one.

For the botnet client configuration string, the Mirai variant (like IZ1H9 and V3G4) will first initialize an encrypted string table and then retrieve the strings through an index. However, this Mirai variant will directly access the encrypted strings in the .rodata section via an index (as shown in Figure 3).

Also, notice that for Mirai variants like IZ1H9 and V3G4, the configuration contains a string that indicates the branch name of this variant (for example, /bin/busybox IZ1H9) while this variant does not have a branch name.

For the configuration decryption, this Mirai variant first uses a table key 0xDEADBEEF to generate a single-byte config decryption key 0x22, then for the encrypted configuration, the malware performs XOR decryption with the following bytewise operations:

encrypted_char ^ 0x22 = decrypted_char

During the analysis, Unit 42 researchers noticed that this Mirai sample doesn’t contain the functionality to brute force telnet/SSH login credentials and exploit vulnerabilities, which means the only channels for spreading this variant are the botnet operator’s manual vulnerability exploitation attempts.

Conclusion

The widespread adoption of IoT devices has become a ubiquitous trend. However, the persistent security concerns surrounding these devices cannot be ignored. The Mirai botnet, discovered back in 2016, is still active today. A significant part of the reason for its popularity among threat actors lies in the security flaws of IoT devices.

These remote code execution vulnerabilities targeting IoT devices exhibit a combination of low complexity and high impact, making them an irresistible target for threat actors. As a result, protecting IoT devices against such threats becomes an urgent task.

To combat this threat, it is highly recommended that patches and updates are applied when possible.

Palo Alto Networks customers receive protection against vulnerabilities and malware through the following products and services:

• Next-Generation Firewall with a Threat Prevention security subscription can block the attacks with Best Practices via Threat Prevention signatures 30760, 37073, 37752, 54659, 54553, 54537, 54619, 58706, 57437, 55795, 57191, 90873, 92611, 93863, 92626, 92714, 93859, 92579, 93044, 93283, 93587, 93872, 93749, 93874, 93973.
• Advanced Threat Prevention has an inbuilt machine learning-based security detection that can detect exploit traffic in real time.
• WildFire can stop the malware with static signature detections.
• Advanced URL Filtering and DNS Security are able to block the C2 domain malware-hosting URLs.
• The Palo Alto Networks IoT security platform can leverage network traffic information to identify the vendor, model and firmware version of a device and identify specific devices that are vulnerable to the aforementioned CVEs.
• In addition, IoT Security has an inbuilt machine learning-based anomaly detection that can alert the customer if a device exhibits nontypical behavior, such as the following:
  • The sudden appearance of traffic from a new source
  • An unusually high number of connections
  • An inexplicable surge of certain attributes typically appearing in IoT application payloads

Palo Alto Networks has shared our findings, including file samples and indicators of compromise, with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Indicators of Compromise

Shell Script Downloader Samples

• 888f4a852642ce70197f77e213456ea2b3cfca4a592b94647827ca45adf2a5b8

Mirai Samples

• b43a8a56c10ba17ddd6fa9a8ce10ab264c6495b82a38620e9d54d66ec8677b0c
• b45142a2d59d16991a38ea0a112078a6ce42c9e2ee28a74fb2ce7e1edf15dce3
• 366ddbaa36791cdb99cf7104b0914a258f0c373a94f6cf869f946c7799d5e2c6
• 413e977ae7d359e2ea7fe32db73fa007ee97ee1e9e3c3f0b4163b100b3ec87c2
• 2d0c8ab6c71743af8667c7318a6d8e16c144ace8df59a681a0a7d48affc05599
• 4cb8c90d1e1b2d725c2c1366700f11584f5697c9ef50d79e00f7dd2008e989a0
• 461f59a84ccb4805c4bbd37093df6e8791cdf1151b2746c46678dfe9f89ac79d
• aed078d3e65b5ff4dd4067ae30da5f3a96c87ec23ec5be44fc85b543c179b777
• 0d404a27c2f511ea7f4adb8aa150f787b2b1ff36c1b67923d6d1c90179033915
• eca42235a41dbd60615d91d564c91933b9903af2ef3f8356ec4cfff2880a2f19
• 3f427eda4d4e18fb192d585fca1490389a1b5f796f88e7ebf3eceec51018ef4d
• aaf446e4e7bfc05a33c8d9e5acf56b1c7e95f2d919b98151ff2db327c333f089
• 4f53eb7fbfa5b68cad3a0850b570cbbcb2d4864e62b5bf0492b54bde2bdbe44b

Infrastructure

• zvub[.]us
• 185.225.74[.]251
• 185.44.81[.]114
• 193.32.162[.]189

Additional Resources

• TP-Link WAN-SIDE Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal - Zero Day Initiative
• Unit 42 Finds New Mirai and Gafgyt IoT/Linux Botnet Campaigns - Unit 42, Palo Alto Networks
• Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall - Unit 42, Palo Alto Networks
• Old Wine in the New Bottle: Mirai Variant Targets Multiple IoT Devices - Unit 42, Palo Alto Networks
• Mirai Variant V3G4 Targets IoT Devices - Unit 42, Palo Alto Networks

Appendix

Campaign-related vulnerability information is listed below:

CVE-2019-12725: Zeroshell Remote Command Execution Vulnerability

This malicious traffic was first detected as a part of the campaign on March 14, 2023. The command execution vulnerability is due to the failure to sanitize the value of x509type in the kerbynet component of Zeroshell

CVE-2019-17621: D-Link DIR-859 Remote Command Injection Vulnerability

We captured this exploit traffic on May 1, 2023. The exploit targets a command injection vulnerability in the D-Link wireless router’s /gena.cgi component, which does not successfully sanitize the user input in the service parameter. This leads to arbitrary command execution.

CVE-2019-20500: D-Link DWL-2600AP Remote Command Execution Vulnerability

The exploit was detected on April 11, 2023. The exploit works due to the D-Link wireless router admin.cgi component failing to adequately sanitize the user-supplied input data, which leads to remote command execution.

CVE-2021-25296: Nagios XI Remote Command Injection Vulnerability

We observed this exploit traffic on April 11, 2023. The exploit targets the Nagios XI device’s /nagiosxi/config/monitoringwizard.php component. If insufficient input validation is found, the attacker can exploit the vulnerability to launch a remote command injection attack.

CVE-2021-46422: Telesquare SDT-CW3B1 Router Command Injection Vulnerability

The malicious traffic was first detected on March 14, 2023. The command injection vulnerability is due to the failure to sanitize the value of the cmd parameter in the cgi-bin/admin.cgi interface of the Telesquare router.

CVE-2022-27002: Arris TR3300 Remote Command Injection Vulnerability

We captured this exploit traffic on April 14, 2023. The exploit targets a command injection vulnerability in the Arris TR3300’s user.cgi component, which does not successfully sanitize the user input in the DDNS_HOST parameter. This leads to a command injection.

CVE-2022-29303: SolarView Compact Command Injection Vulnerability

This exploit was detected on March 15, 2023. The exploit works due to the SolarView Compact confi_mail.php component failing to adequately sanitize the user-supplied input data, which leads to command injection.

CVE-2022-30023: Tenda HG9 Router Command Injection Vulnerability

We observed this exploit traffic on March 14, 2023. The exploit targets the Tenda HG9 router’s /boaform/formPing component. If insufficient input validation is found, the attacker can exploit the vulnerability to launch a remote code execution attack

CVE-2022-30525: Zyxel Command Injection Vulnerability

This malicious traffic was first detected on March 14, 2023. The command injection vulnerability is due to the failure to sanitize the value of the mtu parameter in the /cgi-bin/handler interface of Zyxel.

CVE-2022-31499: Nortek Linear eMerge Command Injection Vulnerability

We captured this exploit traffic on May 1, 2023. The exploit targets a command injection vulnerability in the Nortek Linear eMerge device’s card_scan.php component, which does not successfully sanitize the user input in the ReaderNo parameter. This leads to remote command injection.

CVE-2022-37061: FLIR AX8 Unauthenticated OS Command Injection Vulnerability

This exploit was detected on May 1, 2023. The exploit works due to the FLIR AX8 device’s res.php component failing to adequately sanitize the user-supplied input data, which leads to OS command injection.

CVE-2022-40005: Intelbras WiFiber 120AC inMesh Command Injection Vulnerability

We observed this exploit traffic on March 15, 2023. The exploit targets the Intelbras WiFiber device’s /boaform/formPing6 component. If insufficient input validation is found, the attacker can exploit the vulnerability to launch a command injection attack.

CVE-2022-45699: APsystems ECU-R Remote Command Execution Vulnerability

This malicious traffic was first detected on April 12, 2023. The remote command execution vulnerability is due to a failure to sanitize the value of the timezone parameter in the /management/set_timezone.

CVE-2023-1389: TP-Link Archer Router Command Injection Vulnerability

We captured this exploit traffic on April 12, 2023. The exploit targets a command injection vulnerability in the TP-Link Archer router’s cgi-bin/luci component, which does not successfully sanitize the user input in the country parameter. This leads to arbitrary command execution.

CVE-2023-25280: D-Link DIR820LA1_FW105B03 Command injection vulnerability

The exploit was detected on April 11, 2023. The exploit works due to the D-Link device /ping.ccp component failing to adequately sanitize the user-supplied input data, which leads to a command injection vulnerability.

CVE-2023-27240: Tenda AX3 Command Injection Vulnerability

We observed this exploit traffic on April 12, 2023. The exploit targets the Tenda AX3 router’s /goform/AdvSetLanip component. If insufficient input validation is found, the attacker can exploit the vulnerability to launch a remote command injection attack.

CCTV/DVR Remote Code Execution

This exploit traffic was detected on March 14, 2023. The exploit targets a remote code execution in multiple CCTV/DVR devices’ /language components. The component does not successfully sanitize the value of the HTTP parameter.

EnGenius EnShare Remote Code Execution Vulnerability

We detected this exploit traffic on April 12, 2023. The exploit works due to the /cgi-bin/usbinteract.cgi component of the EnGenius EnShare device failing to sanitize the value of the HTTP parameter path.

MVPower DVR Shell Unauthenticated Command Execution Vulnerability

This malicious traffic was captured on April 11, 2023. The exploit works due to the MVPower DVR failing to sanitize user input, which in turn could lead to remote command execution.

Netgear DGN1000 Remote Code Execution Vulnerability

We captured this exploit traffic on March 14, 2023. The exploit targets the setup.cgi component of Netgear DGN1000. The component does not sanitize the value of the HTTP parameter cmd, which leads to remote code execution.

Vacron NVR Remote Code Execution Vulnerability

We observed this exploit traffic on March 14, 2023. The exploit targets the Vacron NVR device’s board.cgi component. If insufficient input validation is found, the attacker can exploit the vulnerability to launch a remote code execution attack.

MediaTek WiMAX Remote Code Execution

The exploit traffic was first detected as a part of a campaign on April 12, 2023. The remote code execution vulnerability is due to the failure to sanitize the value of the SYSLOGD_REMOTE_HOST parameter in the user.cgi interface of a MediaTek WiMAX device.