Mirai, Gafgyt Botnets Resurface with New Tricks

  /     /     /  
Publicated : 23/11/2024   Category : security


Mirai, Gafgyt Botnets Resurface with New Tricks


A new version of Mirai exploits the Apache Struts flaw linked to the Equifax breach, while Gafgyt targets an old flaw in SonicWall.



Well-known Internet of Things (IoT) botnets Mirai and Gafgyt have resurfaced with new variants targeting vulnerabilities in Apache Struts and SonicWall, respectively.
Researchers in Palo Alto Networks Unit 42 detected the new versions of Mirai and Gafgyt, both of which have been linked to massive distributed denial of service (DDoS) attacks since November 2016. They suggest both botnets are veering away from consumer targets and toward the enterprise.
The Mirai samples were found in the first week of September, while the Gafgyt samples were available on and off throughout the month of August. Both were using the same domain.
Mirai is an evolution of the Gafgyt botnet (also known as Bashlite or Torlus), an IoT/Linux botnet, explains Ryan Olson, vice president of threat intelligence for Unit 42. It was originally designed to spread across Linux devices by brute-forcing default credentials so the attacked devices could then be commanded to launch DDoS attacks.
Neither is more inherently dangerous than the other, though, as we note, these samples of Mirai are notable for how many vulnerabilities they target, Olson says of the recent findings.
On Sept. 7, Unit 42 discovered samples of another Mirai variant packing exploits targeting 16 distinct vulnerabilities. Its not the first time the botnet has been seen leveraging multiple exploits in a single sample. However, it is the first time Mirai has leveraged a vulnerability in Apache Struts – the same bug associated with the massive
Equifax
data breach in September 2017.
The other 15 vulnerabilities all target IoT devices and have previously been seen in different combinations within different Mirai variants, says Olson, who adds that the Struts addition is the most notable change in this version of Mirai we found. Its also worth noting these samples dont include the brute-force functionality generally used in the Mirai botnet.
Researchers found the same domain hosting the Mirai samples previously resolved to a different IP in August. During that time, the IP was sporadically hosting samples of Gafgyt that included an exploit against CVE-2018-9866, a SonicWall bug affecting older versions of the SonicWall Global Management System (GMS).
Both the Apache Struts and SonicWall exploits are deemed Critical, with a CVSS score of 10. Their effectiveness depends on the number of exposed systems, Olson says. The Apache Struts vuln has been public for a year. The SonicWall bug only affects unsupported versions; the company advises users running GMS software to ensure theyre upgraded to version 8.2 as GMS version 8.1 went out of support in Feb. 2018.
For either to be effective, an organization needs to be behind on their versions and updates, he says.
Olson believes the
two new variants
of Mirai and Gafgyt come from the same actor but couldnt speak to why they might have chosen to leverage two botnets instead of one.
Seeing as the samples originated from IPs that resolved to the same domain at different times, and based on some other OPSEC failures, Im fairly certain these originate from the same actor/group, says Olson of their starting point. I cant pinpoint any advantage one has over the other to explain the choice of using different base source codes.
For now, it seems the attackers are testing different vulnerabilities to gauge their efficiency at herding the maximum number of bots, giving them greater power for a DDoS, Olson says. A move to the enterprise would allow the botnets access to greater Internet bandwidth than individual home users and connections, he adds – a sign the bots may be targeting businesses.
Related Content:
New Fallout EK Brings Return of Old Ransomware
Three Trend Micro Apps Caught Collecting MacOS User Data
The Equifax Breach One Year Later: 6 Action Items for Security Pros
Apple (Finally) Removes MacOS App Caught Stealing User Browser Histories
 
Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the
conference
 and
to register.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Mirai, Gafgyt Botnets Resurface with New Tricks