Mirai, Gafgyt IoT botnets stab systems with Apache Struts, SonicWall exploits
New variations of Mirai and the Gafgyt botnet are harnessing new vulnerabilities to compromise IoT devices, including the security flaw which caused the 2017 Equifax data breach.
Security
On Sunday, researchers from the Palo Alto Networks Unit 42 team said in a blog post that new variants of the botnets have been upgraded with a slew of exploits designed to take advantage of multiple vulnerabilities.
Botnets can spell disaster for organizations. These systems operate by exploiting vulnerable devices, hijacking them, and forcing them to create illegitimate traffic which is then used to pound online services.
In high numbers, these attacks are known as distributed denial-of-service (DDoS) campaigns and can prevent legitimate traffic from reaching online services -- or knock out systems altogether.
In 2016, the open-source Mirai botnet, which focuses on enslaving Internet of Things (IoT) devices such as routers and smart home products, reminded us of how powerful and disruptive a botnet can be.
TechRepublic: The 6 reasons why we've failed to stop botnets
The botnet was used to take down online services across the US and since the public release of the code online, new variants have continued to emerge.
Gafgyt, another notorious botnet also known as BASHLITE, has been linked to the enslavement of over one million IoT devices. The botnet's source code was leaked in 2015.
According to Unit 42, samples of a Mirai variant have been secured which show that the botnet is now incorporating exploits which target a total of 16 vulnerabilities.
One of the bugs is the CVE-2017-5638 Apache Struts vulnerability which was left unpatched on Equifax servers, leading to the theft of data belonging to 143 million consumers.
The researchers say this is the first recorded example of Mirai harnessing this well-known vulnerability.
See also: IoT hacker builds Huawei-based botnet, enslaves 18,000 devices in one day
In addition to the Apache Struts vulnerability, the new Mirai variant also exploits bugs including a Linksys E-series device remote code execution (RCE) flaw, a D-Link router RCE, and an OS command injection security flaw which impacts Zyxel routers, among others.
When it comes to the new Gafgyt variant, the botnet now targets a recently-disclosed security flaw which affected old, unsupported builds of SonicWall's Global Management System (GMS), versions 8.1 and earlier.
The bug, CVE-2018-9866, is caused by a lack of validation of user-supplied parameters pass to XML-RPC calls on the GMS virtual appliance, and allows remote users to execute arbitrary code.
Discovered in July, the vulnerability has been issued a CVSS score of 10, the highest available, and GMS users are not able to protect themselves without upgrading to version 8.2. No workaround is available.
CNET: We can't stop botnet attacks alone, says US government report
"The incorporation of exploits targeting Apache Struts and SonicWall by these IoT/Linux botnets could indicate a larger movement from consumer device targets to enterprise targets," the researchers say. "These developments suggest these IoT botnets are increasingly targeting enterprise devices with outdated versions."
In July, a new botnet was discovered, 18,000-device strong, which was made up of IoT devices and routers susceptible to Huawei bug CVE-2017-17215. The botnet took only 24 hours to come to life.
Update 15.32 BST: A SonicWall spokesperson told ZDNet:
"The vulnerability disclosed in this post is not an announcement of a new vulnerability in SonicWall Global Management System (GMS). The issue referenced only affects an older version of the GMS software (version 8.1) which was replaced by version 8.2 in December 2016.
Customers and partners running GMS version 8.2 and above are protected against this vulnerability. Customers still using GMS version 8.1 should apply a hotfix supplied by SonicWall in August 2018 and plan for an immediate upgrade, as GMS 8.1 went out of support in February 2018."