Mirai-based DDoS Attackers Aggressively Adopted New Router Exploits

In September 2023, FortiGuard Labs’ vigilant team uncovered a significant development in the IZ1H9 Mirai-based DDoS campaign. 

This campaign, known for its aggressive tactics, had strengthened its arsenal with a formidable array of thirteen exploits, potentially endangering Linux-based systems across various organizations.

The IZ1H9 campaign threatens a wide range of users across any organization that utilizes Linux-based systems. 

Its potential impact is critical, as remote attackers can gain full control of vulnerable systems, effectively turning them into bots under the attacker’s command.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Exploitation Surge

During the team’s observation, it became evident that the IZ1H9 campaign reached its zenith of exploitation on September 6, 2023. 

Trigger counts surged into the thousands, and even tens of thousands, showcasing the campaign’s alarming ability to infiltrate susceptible devices. 

This rapid propagation was achieved by utilizing freshly released exploit code, covering numerous Common Vulnerabilities and Exposures (CVEs).

Exploit Payloads

The campaign’s array of exploit payloads is diverse, targeting various vulnerabilities. 

Notably, four payloads, CVE-2015-1187, CVE-2016-20017, CVE-2020-25506, and CVE-2021-45382, zero in on D-Link vulnerabilities, enabling remote attackers to execute commands via crafted requests.

Additionally, CVE-2019-19356 targets Netis WF2419, exploiting a Remote Code Execution (RCE) vulnerability through the tracert diagnostic tool due to insufficient user input sanitization.

Exploits discovered in 2021 also play a pivotal role in this campaign, affecting products such as Sunhillo SureLine, Geutebruck IP cameras, and Yealink Device Management.

Further vulnerabilities in Zyxel devices, TP-Link Archer, Korenix JetWave, and TOTOLINK routers are leveraged to expand the campaign’s reach.

Shell Script Downloader

The injected payload aims to download a shell script named “l.sh” from a specific URL. 

Once executed, this script conceals its actions by deleting logs and subsequently downloading and executing various bot clients tailored for different Linux architectures. 

It concludes by obstructing network connections on multiple ports by modifying the device’s iptables rules.

Malware Analysis – IZ1H9

IZ1H9, classified as a Mirai variant, specializes in infecting Linux-based networked devices, particularly IoT devices. 

It transforms them into remote-controlled bots, ready for large-scale network attacks. The XOR key used for configuration decoding is revealed as 0xBAADF00D.

Victims initiate communication with a C2 server, and upon receiving commands, compromised devices parse the packet to determine the DDoS attack method, target host, and packet count before launching an attack.

C2 communication

This campaign underscores the persistent risk posed by vulnerable IoT devices and Linux servers to remote code execution attacks. 

Despite the availability of patches, the number of exploit triggers remains alarmingly high, exposing systems to potential threats.

The IZ1H9 Campaign’s rapid adaptation to new vulnerabilities is a cause for concern. Once attackers gain control of a vulnerable device, they can integrate it into their botnet, amplifying their capacity for attacks, including DDoS and brute-force attacks.

DDoS attacking methods

Organizations are urged to promptly apply patches and change default login credentials for devices to mitigate this threat effectively.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Sujatha

Recent Posts

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…

10 hours ago

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…

10 hours ago

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…

13 hours ago

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities, including…

16 hours ago

Veritas Enterprise Vault Vulnerabilities Lets Attackers Execute Arbitrary Code Remotely

Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…

17 hours ago

7-Zip RCE Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…

17 hours ago