Mirai Botnet Exploits Zero-Day Bugs For DDoS Attacks

/in


InfectedSlurs, a Mirai botnet malware, has been exploiting two zero-day remote code execution (RCE) vulnerabilities. The malware targets routers and video recorders (NVR) devices, aiming to make them a part of its distributed denial of service (DDoS) swarm. Although the botnet was discovered in October 2023, it is believed that its initial activities date back to the latter half of 2022. In this blog, we’ll dive into how the botnet was discovered, how it functions, and more.

 

Mirai Botnet Detection Details


The botnet was discovered when Akamai’s Security Intelligence Response Team (SIRT) noticed malicious activity pertaining to the company’s honeypots. As of now, it is believed malicious activity was initiated to target a rarely used TCP port. The SIRT teams noticed fluctuations with regard to the frequency of the zero-day exploits

An analysis of the zero-day vulnerabilities, published by Akamai, reads, “The activity started out with a small burst, peaking at 20 attempts per day, and then thinned out to an average of two to three per day, with some days completely devoid of attempts.” It’s worth mentioning that vulnerable devices that fell prey to the botnet were unknown until November 9, 2023. 

Initially the probes were low-frequency and attempted authentication using a POST request. Upon acquiring the access, the botnet attempted a command injection exploitation. Researchers have also determined that the botnet used default admin credentials for installing Mirai variants. 

Upon further observation, it was identified that the wireless LAN routers, built for hotels and residential purposes, were also being targeted by the Mirai botnet. Commenting on the RCE flaw being exploited for unauthorized access, Akamai stated: “The SIRT did a quick check for CVEs known to impact this vendor’s NVR devices and was surprised to find that we were looking at a new zero-day exploit being actively leveraged in the wild.” 


InfectedSlurs, JenX, and hailBot


The InfectedSlurs botnet is suspected to be knitted with other cybersecurity threats such as  JenX and hailBot. The botnet gets its name from the use of racial and offensive language in the command-and-control (C2)…

Source…