New variations of Mirai and the Gafgyt botnet are harnessing new vulnerabilities to compromise IoT devices, including the security flaw which caused the 2017 Equifax data breach.
On Sunday, researchers from the Palo Alto Networks Unit 42 team said in a blog post that new variants of the botnets have been upgraded with a slew of exploits designed to take advantage of multiple vulnerabilities.
Botnets can spell disaster for organizations. These systems operate by exploiting vulnerable devices, hijacking them, and forcing them to create illegitimate traffic which is then used to pound online services.
In high numbers, these attacks are known as distributed denial-of-service (DDoS) campaigns and can prevent legitimate traffic from reaching online services -- or knock out systems altogether.
In 2016, the open-source Mirai botnet, which focuses on enslaving Internet of Things (IoT) devices such as routers and smart home products, reminded us of how powerful and disruptive a botnet can be.
TechRepublic: The 6 reasons why we've failed to stop botnets
Gafgyt, another notorious botnet also known as BASHLITE, has been linked to the enslavement of over one million IoT devices. The botnet's source code was leaked in 2015.
According to Unit 42, samples of a Mirai variant have been secured which show that the botnet is now incorporating exploits which target a total of 16 vulnerabilities.
The researchers say this is the first recorded example of Mirai harnessing this well-known vulnerability.
In addition to the Apache Struts vulnerability, the new Mirai variant also exploits bugs including a Linksys E-series device remote code execution (RCE) flaw, a D-Link router RCE, and an OS command injection security flaw which impacts Zyxel routers, among others.
When it comes to the new Gafgyt variant, the botnet now targets a recently-disclosed security flaw which affected old, unsupported builds of SonicWall's Global Management System (GMS), versions 8.1 and earlier.
The bug, CVE-2018-9866, is caused by a lack of validation of user-supplied parameters pass to XML-RPC calls on the GMS virtual appliance, and allows remote users to execute arbitrary code.
Discovered in July, the vulnerability has been issued a CVSS score of 10, the highest available, and GMS users are not able to protect themselves without upgrading to version 8.2. No workaround is available.
"The incorporation of exploits targeting Apache Struts and SonicWall by these IoT/Linux botnets could indicate a larger movement from consumer device targets to enterprise targets," the researchers say. "These developments suggest these IoT botnets are increasingly targeting enterprise devices with outdated versions."
Update 15.32 BST: A SonicWall spokesperson told ZDNet:
"The vulnerability disclosed in this post is not an announcement of a new vulnerability in SonicWall Global Management System (GMS). The issue referenced only affects an older version of the GMS software (version 8.1) which was replaced by version 8.2 in December 2016.
Customers and partners running GMS version 8.2 and above are protected against this vulnerability. Customers still using GMS version 8.1 should apply a hotfix supplied by SonicWall in August 2018 and plan for an immediate upgrade, as GMS 8.1 went out of support in February 2018."