This article is more than 1 year old
Mirai malware infects routers and cameras for new botnet
Akamai sounds the alarm – won't name the manufacturers yet
Akamai has uncovered two zero-day bugs capable of remote code execution, both being exploited to distribute the Mirai malware and built a botnet army for distributed denial of service (DDoS) attacks.
The perpetrators of the campaign have not been identified, but it is known that the zero-days target routers and network video recorders from two vendors and use the devices’ default passwords.
Because the security holes aren't plugged yet, Akamai's Security Intelligence Response Team (SIRT) did not name the brands or the affected devices. Patches for vulnerable products are expected to be released in December.
There is an easy interim fix though. To make sure you're not vulnerable, check routers and records to ensure you’re not using the vendor's default password. If you are, give yourself an uppercut, then replace it with something original and long enough not to be easily brute forced.
Until the patches are released, organizations can also check Akamai's published Snort and YARA rules – along with other indicators of compromise – to detect potential infections in their environments.
"Although this information is limited, we felt it was our responsibility to alert the community about the ongoing exploitation of these CVEs in the wild," the alert reads.
"There is a thin line between responsible disclosing information to help defenders, and oversharing information that can enable further abuse by hordes of threat actors."
Here's what we do know about the affected devices:
The camera vendor produces about 100 network video recorder, DVR, and IP products, and although the zero-day targets one specific model, Akamai says a sub-variant model of the device is "likely" also vulnerable.
The second product being targeted is an "outlet-based wireless LAN router built for hotels and residential applications," we're told. This vendor, based in Japan, produces "multiple" switches and routers.
Akamai notes the exploit has been confirmed by Japan’s Computer Emergency Response Team as present in one of the manufacturer’s routers, it can't verify that only one model is affected by the flaw.
"The feature being exploited is a very common one, and it's possible there is code reuse across product line offerings," according to the Akamai Security Intelligence Response Team's advisory.
Plenty of WLAN router-makers use the open-source DD-WRT firmware. If that’s the case here it’s not hard to imagine the manufacturer customised the code, introduced a flaw, then spread it across several products.
- Mirai reloads exploit arsenal as botnet embarks on another expansion drive
- Mirai botnet loves exploiting your unpatched TP-Link routers, CISA warns
- Huge DDoS attack against US financial institution thwarted
- DDoS-like attack brought down OpenAI this week, not just its purported popularity
Akamai’s researchers monitor botnet activity using a global network of honeypots but didn't spot the new Mirai variant until October – and didn't know which devices it was targeting until November 9.
The botnet, dubbed InfectedSlurs, was named with reference to the racial slurs and other offensive language used in its command and control (C2) domains and filenames. It primarily uses older JenX Mirai code, although Akamai noted some samples it spotted were linked to the hailBot Mirai variant.
According to the Akamai report:
While JenX primarily contained the filename of "jkxl", the assumed hailBot file names included the string "skid". Additionally, one of the unique identifiers for hailBot is the console string "hail china mainland" that is printed upon successful compromise of a system.
The bug hunters also spotted mentions of some of the C2 infrastructure in a now-deleted Telegram account in a DDoS marketplace channel, DStatCC.
Additionally, an August post on PasteBin showed this same C2 infrastructure targeting a Russian news site with a DDoS attack in May. According to Akamai, the C2 domains, IP addresses, hashes and ports all match those used in the InfectedSlurs campaign. ®