Cyberium Domain Targets Tenda Routers in Botnet Campaign
Governance & Risk Management
,
IT Risk Management
,
Next-Generation Technologies & Secure Development
AT&T Alien Labs: Hackers Used Mirai Variant MooBot
Malware hosting domain Cyberium has spread Mirai variants, including one that targeted vulnerable Tenda routers, as part of a botnet campaign, AT&T Alien Labs reports.
See Also: Live Webinar | The Role of Passwords in the Hybrid Workforce
Since March, AT&T Alien Labs, which offers an open threat intelligence community, has detected a spike in active exploitation attempts on Tenda routers by MooBot, a Mirai variant that has been active since 2019. The latest campaign is targeting Tenda users by exploiting users who have not patched a remote code vulnerability in the router, tracked as CVE-2020-10987.
“At the end of March, AT&T Alien Labs observed a spike in exploitation attempts for Tenda Remote Code Execution vulnerability,” says Fernando Martinez, a security researcher at AT&T Alien Labs team. “This spike was observed throughout a significant number of clients, in the space of a few hours. This vulnerability is not commonly used by web scanners and was barely detected by our honeypots during the last six months, except for a minor peak in November.”
MooBot Campaign
The Tenda router scanning activities only lasted a day, according AT&T Alien Labs. The malicious botnet traffic originated from a single Cyberium malware hosting domain, researchers say.
The first request to victims’ machines from this hosting page was to download a malicious script, which…