Novel Mirai-based DDoS botnet exploits 0-days to infect routers and security cameras
Threat actors are exploiting previously unknown bugs in certain routers and network video recorder (NVR) devices to build a Mirai-based distributed denial-of-service (DDoS) botnet, dubbed InfectedSlurs.
The newly discovered zero-day remote code execution vulnerabilities can be exploited if the device manufacturers’ default admin credentials have not been changed – a security measure users very often fail to take.
In a post this week, researchers at Akamai’s security intelligence response team (SIRT) said they discovered the botnet through their global honeypots last month and identified it was targeting network video recorder (NVR) devises from a specific manufacturer.
“The SIRT did a quick check for CVEs known to impact this vendor’s NVR devices and was surprised to find that we were looking at a new zero-day exploit being actively leveraged in the wild,” the researchers wrote.
Further investigation revealed a second device from a different manufacturer – a wireless LAN router designed for hotels and residential use – was also being targeted by the threat actors behind the botnet.
The researchers said they alerted the manufacturers to the respective vulnerabilities and were told by both that they expected to release patches for the affected devices next month. Until that occurred, Akamai would not identify the manufacturers.
“There is a thin line between responsible disclosing information to help defenders, and oversharing information that can enable further abuse by hordes of threat actors,” the researchers said.
In the case of the router the threat group was targeting, it was manufactured by a Japanese vendor that produced multiple switches and routers. Japan’s Computer Emergency Response Team (JPCERT) had confirmed the exploit, but Akamai did not know if more than one model in the company’s catalog was affected.
“The feature being exploited is a very common one, and it’s possible there is code reuse across product line offerings,” the researchers said.
Akamai labelled the botnet “InfectedSlurs” after the researchers discovered racial epithets and offensive language within the naming conventions used for the command-and-control domains associated with…
