New botnet targets network security devices with critical exploits

Authors of a new botnet are targeting connected devices affected by critical-level vulnerabilities, some of them impacting network security devices.

The attacks are still active and use publicly available exploits, sometimes only a few hours after being published. Exploit code for at least ten vulnerabilities has been leveraged so far, the latest being added over the weekend.

Exploiting old and recent bugs

Successfully compromised devices end up with a variant of the Mirai botnet malware specific to the architecture of the device.

In mid-February, security researchers at Palo Alto Networks’ Unit 42 discovered attacks from this botnet and started to track its activity.

It took about a month for the botnet operator to integrate exploits for ten vulnerabilities, many of them critical, for various targets.

Among them is VisualDoor, the exploit for a remote command injection vulnerability in SonicWall SSL-VPN devices that the maker says they fixed years ago.

There are more recent exploits leveraged in these attacks, like CVE-2021-22502, a remote code execution bug in the Micro Focus Operation Bridge Reporter (OBR) product from Vertica.

OBR uses big data technology to create performance reports based on data from other enterprise software.

Two other critical-severity vulnerabilities exploited in attacks from the operator of this Mirai-based botnet are CVE-2021-27561 and CVE-2021-27562 affecting Yealink Device Management.

The flaws were reported through the SSD Secure Disclosure program by independent security researchers Pierre Kim and Alexandre Torres. Technical analysis is available here.

They stem from user-provided data not being properly filtered and allow an unauthenticated attacker to run arbitrary commands on the server with root permission.

Unit 42 researchers say that three of the vulnerabilities the attackers exploit have yet to be identified as the targets remain unknown. Below is a list of the flaws leveraged in these attacks:

ID	Vulnerability	Description	Severity
1	VisualDoor	SonicWall SSL-VPN Remote Command Injection Vulnerability	critical severity
2	CVE-2020-25506	D-Link DNS-320 Firewall Remote Command Execution Vulnerability	critical severity, 9.8/10
3	CVE-2021-27561 and CVE-2021-27562	Yealink Device Management Pre-Auth ‘root’ Level Remote Code Execution Vulnerability	critical severity
4	CVE-2021-22502	Remote Code Execution Vulnerability in Micro Focus Operation Bridge Reporter (OBR), affecting version 10.40	critical severity, 9.8/10
5	CVE-2019-19356	Resembles the Netis WF2419 Wireless Router Remote Code Execution Vulnerability	high severity, 7.5/10
6	CVE-2020-26919	Netgear ProSAFE Plus Unauthenticated Remote Code Execution Vulnerability	critical severity, 9.8/10
7	Unidentified	Remote Command Execution Vulnerability Against an Unknown Target	Unknown
8	Unidentified	Remote Command Execution Vulnerability Against an Unknown Target	Unknown
9	Unknown Vulnerability	Vulnerability Used by Moobot in the Past, Although the Exact Target is Still Unknown	Unknown

After successfully comprising a device, the attacker dropped various binaries that let them schedule jobs, create filter rules, run brute-force attacks, or propagate the botnet malware:

• lolol.sh: downloads and runs architecture-specific “dark” binaries; it also schedules a job to rerun the script and creates traffic rules that blocks incoming connections over common ports for SSH, HTTP, telnet
• install.sh: installs the ‘zmap’ network-scanner, downloads GoLang and the files for running brute-force attacks on IPs discovered by ‘zmap’
• nbrute.[arch]: binary for brute-force attacks
• combo.txt: a text file with credentials to be used in brute-force attacks
• dark.[arch]: Mirai-based binary used for propagation via exploits or brute-forcing