A Mirai botnet variant has been discovered exploiting a newly disclosed safety flaw impacting 4-Religion industrial routers since early November 2024 with the purpose of conducting distributed denial-of-service (DDoS) assaults.
The botnet maintains roughly 15,000 every day energetic IP addresses, with the infections primarily scattered throughout China, Iran, Russia, Turkey, and america.
Exploiting an arsenal of over 20 identified safety vulnerabilities and weak Telnet credentials for preliminary entry, the malware is understood to have been energetic since February 2024. The botnet has been dubbed “gayfemboy” in reference to the offensive time period current within the supply code.
QiAnXin XLab stated it noticed the malware leveraging a zero-day vulnerability in industrial routers manufactured by China-based 4-Religion to ship the artifacts as early as November 9, 2024.
The vulnerability in query is CVE-2024-12856 (CVSS rating: 7.2), which refers to an working system (OS) command injection bug affecting router fashions F3x24 and F3x36 by profiting from unchanged default credentials.
Late final month, VulnCheck advised The Hacker Information that the vulnerability has been exploited within the wild to drop reverse shells and a Mirai-like payload on compromised gadgets.
Among the different safety flaws exploited by the botnet to increase its attain and scale embody CVE-2013-3307, CVE-2013-7471, CVE-2014-8361, CVE-2016-20016, CVE-2017-17215, CVE-2017-5259, CVE-2020-25499, CVE-2020-9054, CVE-2021-35394, CVE-2023-26801, CVE-2024-8956, and CVE-2024-8957.
As soon as launched, the malware makes an attempt to cover malicious processes and implements a Mirai-based command format to scan for weak gadgets, replace itself, and launch DDoS assaults in opposition to targets of curiosity.
DDoS assaults leveraging the botnet have focused a whole lot of various entities each day, with the exercise scaling a brand new peak in October and November 2024. The assaults, whereas lasting between 10 and 30 seconds, generate site visitors round 100 Gbps.
The disclosure comes weeks after Juniper Networks warned that Session Sensible Router (SSR) merchandise with default passwords are being focused by malicious actors to drop the Mirai botnet malware. Akamai has additionally revealed Mirai malware infections that weaponize a distant code execution flaw in DigiEver DVRs.
“DDoS has grow to be one of the frequent and harmful types of cyber assaults,” XLab researchers stated. “Its assault modes are various, assault paths are extremely hid, and it may well make use of constantly evolving methods and methods to conduct exact strikes in opposition to numerous industries and programs, posing a big risk to enterprises, authorities organizations, and particular person customers.”
The event additionally comes as risk actors are leveraging inclined and misconfigured PHP servers (e.g., CVE-2024-4577) to deploy a cryptocurrency miner referred to as PacketCrypt.