Tag Archive for: Mirai
Trend says hackers have weaponized SpringShell to install Mirai malware
Getty Images
Researchers on Friday said that hackers are exploiting the recently discovered SpringShell vulnerability to successfully infect vulnerable Internet of Things devices with Mirai, an open source piece of malware that wrangles routers and other network-connected devices into sprawling botnets.
When SpringShell (also known as Spring4Shell) came to light last Sunday, some reports compared it to Log4Shell, the critical zero-day vulnerability in the popular logging utility Log4J that affected a sizable portion of apps on the Internet. That comparison proved to be exaggerated because the configurations required for SpringShell to work were by no means common. To date, there are no real-world apps known to be vulnerable.
Researchers at Trend Micro now say that hackers have developed a weaponized exploit that successfully installs Mirai. A blog post they published didn’t identify the type of device or the CPU used in the infected devices. The post did, however, say a malware file server they found stored multiple variants of the malware for different CPU architectures.
Trend Micro
“We observed active exploitation of Spring4Shell wherein malicious actors were able to weaponize and execute the Mirai botnet malware on vulnerable servers, specifically in the Singapore region,” Trend Micro researchers Deep Patel, Nitesh Surana, and Ashish Verma wrote. The exploits allow threat actors to download Mirai to the “/tmp” folder of the device and execute it following a permission change using “chmod.”
The attacks began appearing in researchers’ honeypots early this month. Most of the vulnerable setups were configured to these dependencies:
- Spring Framework versions before 5.2.20, 5.3.18, and Java Development Kit (JDK) version 9 or higher
- Apache Tomcat
- Spring-webmvc or spring-webflux dependency
- Using Spring parameter binding that is configured to use a non-basic parameter type, such as Plain Old Java Objects (POJOs)
- Deployable, packaged as a web application archive (WAR)
Trend said the success the hackers had in weaponizing the exploit was largely due to…
New Mirai Variant and ZHtrap Botnet Malware Emerge in the Wild
Cybersecurity researchers on Monday disclosed a new wave of ongoing attacks exploiting multiple vulnerabilities to deploy Mirai variants on compromised systems.
“Upon successful exploitation, the attackers try to download a malicious shell script, which contains further infection behaviors such as downloading and executing Mirai variants and brute-forcers,” Palo Alto Networks’ Unit 42 Threat Intelligence Team said in a write-up.
The rash of vulnerabilities being exploited include:
- VisualDoor — a SonicWall SSL-VPN remote command injection vulnerability that came to light earlier this January
- CVE-2020-25506 – a D-Link DNS-320 firewall remote code execution (RCE) vulnerability
- CVE-2021-27561 and CVE-2021-27562 – Two vulnerabilities in Yealink Device Management that allow an unauthenticated attacker to run arbitrary commands on the server with root privileges
- CVE-2021-22502 – an RCE flaw in Micro Focus Operation Bridge Reporter (OBR), affecting version 10.40
- CVE-2019-19356 – a Netis WF2419 wireless router RCE exploit, and
- CVE-2020-26919 – a Netgear ProSAFE Plus RCE vulnerability
Also included in the mix are three previously undisclosed command injection vulnerabilities that were deployed against unknown targets, one of which, according to the researchers, has been observed in conjunction with MooBot.
The attacks are said to have been detected over a month-long period starting from February 16 to as recent as March 13.
Regardless of the flaws used to achieve successful exploitation, the attack chain involves the use of wget utility to download a shell script from the malware infrastructure that’s then used to fetch Mirai binaries, a notorious malware that turns networked IoT devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks.
Besides downloading Mirai, additional shell scripts have been spotted retrieving executables to facilitate brute-force attacks to break into vulnerable devices with weak passwords.
“The IoT realm remains an easily accessible target for attackers. Many vulnerabilities are very easy to exploit and could, in some cases, have catastrophic consequences,” the researcher said.
New ZHtrap Botnet…
Malware scum want to build a Linux botnet using Mirai
|