The new V3G4 variant of Mirai, which creates botnets for DDoS attacks, exploited 13 different vulnerabilities in three campaigns over a six-month period, Palo Alto Network’s Unit 42 team reports. A new variant of Mirai — the botnet malware used to launch massive DDoS attacks —has been targeting 13 vulnerabilities in IoT devices connected to Linux servers, according to researchers at Palo Alto Networks’ Unit 42 cybersecurity team. Once the vulnerable devices are compromised by the variant, dubbed V3G4, they can fully controlled by attackers and become part of a botnet, capable of being used to conduct further campaigns, including DDoS attacks. “The vulnerabilities have less attack complexity than previously observed variants, but they maintain a critical security impact that can lead to remote code execution,” Unit 42 said in its report on the new variant. V3G4 activity was observed between July and December last year, in three campaigns, Unit 42 said. All three campaigns appeared to be linked to the same variant and Mirai botnet for several reasons, according to the researchers. They noted that domains with the hard-coded command and control (C2) infrastructure — used to maintain communications with infected devices — contained the same character string format. In addition, the shell script downloads are similar, and the botnet used in all attacks features identical functions.The threat actor deploying V3G4 exploited vulnerabilities that could lead to remote code execution, Code 42 said. Once executed, the malware has a function to check if the host device has already been infected. If it has been already infected it will exit the device. It also attempts to disable a set of processes from a hardcoded list, which includes other competing botnet malware families. How the V2G4 Mirai variant worksWhile most Mirai variants use the same key for string encryption, the V3G4 variant uses different XOR encryption keys for different scenarios, the researcher noted (XOR is a Boolean logic operation frequently used in encryption). V3G4 packs a set of default or weak login credentials that it uses to carry out brute-force attacks through Telnet and SSH network protocols, and spread to other machines. After this, it establishes contact with the C2 server and waits to receive commands for launching DDoS attacks against targets, Unit 42 said. V3G4 has exploited vulnerabilities, including those in the FreePBX management tool for Asterisk communication servers (vulnerability CVE-2012-4869); Atlassian Confluence (CVE-2022-26134); the Webmin system administration tool (CVE-2019-15107); DrayTek Vigor ruters (CVE-2020-8515: and CVE-2020-15415); and the C-Data Web Management System (CVE-2022-4257).For a complete list of the exploited vulnerabilities that have been observed so far, suggestions for cybersecurity software that can detect and prevent infection, and code snippets that serve as indications of compromise, see Palo Alto’s advisory. The Unit 42 team also recommends applying patches and updates to remediate the vulnerabilities, when possible.How the Mirai botnet developedOver the past few years, Mirai has tried to wrap its tentacles around SD-WAN, targeted enterprise videoconferencing systems, and leveraged Aboriginal Linux to infect multiple platforms.The Mirai botnet was an iteration of a series of malware packages developed by Paras Jha, an undergraduate at Rutgers University. Jha posted it online under the name “Anna-Senpai,” naming it Mirai (Japanese for “the future”). The botnet encapsulated some clever techniques, including a list of hardcoded passwords. In December 2016, Jha and his associates pled guilty to crimes related to Mirai attacks. But by then the code was in the wild and being used as building blocks for further botnet controllers. This meant that anyone could use it to try infecting IoT devices and launching DDoS attacks, or sell that ability to the highest bidder. Many cybercriminals have done just that, or are tweaking and improving the code to make it even harder to fight against.Mirai’s first big wave of attacks came on September 19, 2016, and was used against the French host OVH. Mirai was also responsible for a 2016 DDoS attack on DNS provider Dyn, which involved about 100,000 infected devices. As a result, major internet platforms and services were unavailable to users in Europe and North America. Related content brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security news Iranian hackers harvest credentials through advanced social engineering campaigns Mandiant observed several malicious campaigns with threat actors impersonating journalists and harvesting the victim’s cloud environment credentials. By Shweta Sharma May 02, 2024 4 mins Hacker Groups Social Engineering news Dropbox Sign hack exposed user data, raises security concerns for e-sign industry The names and email addresses of those customers were also exposed who had never created an account with Dropbox Sign but had “received or signed a document through Dropbox Sign.” By Gyana Swain May 02, 2024 5 mins Data Breach news UnitedHealth hack may impact a third of US citizens: CEO testimony Despite paying a $22 million ransom in Bitcoin to regain access to encrypted files, the company cannot confirm whether copies of the data were made or published online. By Prasanth Aby Thomas May 02, 2024 4 mins Data Breach Ransomware Hacking PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe