Microsoft Security Threat Intelligence Center has recently found that the Mozi P2P botnet is continuously attacking IoT devices.
It has installed new functions that help the threat actors to remain resolute in network gateways that have been built by Netgear, Huawei, and ZTE.
Azure Defender Section 52 Microsoft Security Threat Intelligence Center reported that gateways are a “tidbit” for the threat actors because they are “ideal for primary access to corporate networks.
After detecting this attack, the experts have conducted a specific investigation to know about the occurrence of the /overlay folder, and not only this they will also check that if the malware does not have write grants to the folder /etc.
However, if it grants permission, then, in that case, it will try to exploit CVE-2015-1328. In case of successful exploitation of the vulnerability, it will grant the malware access to the folders that are mentioned below:-
However, in this type of case, some actions are taken, and here we have mentioned them below:-
In the case of the ZTE device, the analysts have again conducted a special investigation to check for the existence of the /usr/local/ct folder. Here they claimed that this folder act as an indicator of the device that is being a ZTE modem/router device.
However, in this type of case, some actions are taken, that we have mentioned below:-
In the case of the Huawei device, the execution of the commands generally modifies the password as well as disables the management server for Huawei modem/router devices.
Not only this but it also stops many others from obtaining access to the device via the management server. Apart from this, the experts have also stated that to implement an additional level of resolution it also produces the following files in case of needs and supplements an instruction to persevere all its required copy from /usr/networks.
Here’s the list of TCP ports that are blocked by the malware:-
The experts have listed all the commands, and here we have mentioned them below:-
After a specific investigation, the security researchers came to know that the Mozi receives a list of DNS names, later they also noted that all of them were spoofed; Not only this but every DNS request have a spoofed IP.
While in the case of the HTTP session every HTTP request does not get processed, and in such circumstances, there are several requirements that are needed to get qualified for hijacking.
Soon after knowing about this attack, the Microsoft researchers have already updated to defend, detect, and respond to Mozi and not only this but it has also improved all its capabilities to bypass this attack.
The customers can utilize the network device discovery skills that have been found in Microsoft Defender for Endpoint to identify affected internet gateways on their IT networks.
Moreover, the network-layer abilities of Azure Defender for IoT can be applied as it will help the customer to perform continuous asset discovery, vulnerability management.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates
Multi-factor authentication (MFA), long considered a cornerstone of cybersecurity defense, is facing a formidable new…
A sophisticated cyberespionage campaign linked to Chinese state-sponsored actors has exploited a previously patched Check…
A critical security flaw (CVE-2025-20059) has been identified in supported versions of Ping Identity’s PingAM…
A sophisticated malware campaign leveraging GitHub repositories disguised as game modifications and cracked software has…
Netskope Threat Labs uncovered a sprawling phishing operation involving 260 domains hosting approximately 5,000 malicious…
A new wave of cyberattacks leveraging the Winos4.0 malware framework has targeted organizations in Taiwan…