Security
Headlines
HeadlinesLatestCVEs

Headline

Mirai botnet resurfaces with MooBot variant to target D-Link devices

By Deeba Ahmed The botnet is exploiting four different vulnerabilities in D-Link devices. This is a post from HackRead.com Read the original post: Mirai botnet resurfaces with MooBot variant to target D-Link devices

HackRead
#vulnerability#ddos#dos#git#rce#botnet

Palo Alto Networks’ Unit 42 researchers have reported the emergence of a new Mirai botnet variant dubbed MooBot. This variant is looking for unpatched D-Link devices to create its army of DDoS (distributed denial of service) bots. For compromising vulnerable D-Link routers, MooBot uses multiple exploits

Re-Emergence of Notorious MooBot

The MooBot botnet was first discovered by Qihoo 360’s Netlab in Sep 2019, whereas the most recent wave of attacks involving MooBot, before the one detected by Palo Alto, was discovered by Fortinet analysts in Dec 2021. Researchers identified that MooBot targeted a flaw in Hikvision cameras and enlisted a large number of devices into its DDoS army.

In early August, Unit 42 researchers discovered a new attack wave. This time, MooBot’s targets were unpatched D-Link routers, which it compromised using old and new exploits.

Exploited Vulnerabilities

The botnet is exploiting four different vulnerabilities in D-Link devices, including the following:

  • CVE-2022-26258 (CVSS score: 9.8) – D-Link Remote Command Execution Vulnerability
  • CVE-2022-28958 (CVSS score: 9.8) – D-Link Remote Command Execution Vulnerability
  • CVE-2015-2051 (CVSS score: 10.0) – D-Link HNAP SOAPAction Header Command Execution Vulnerability
  • CVE-2018-6530 (CVSS score: 9.8) – D-Link SOAP Interface Remote Code Execution Vulnerability

Source: Palo Alto Networks

Previously it targeted LILIN digital video recorders apart from Hikvision video surveillance devices.

What Happens If Devices are Compromised?

According to Unit 42 researchers, an attacker can gain full control of the compromised devices. They can use them to perform various attacks, including remote code execution and retrieving MooBot payload from a remote host to parse instructions from a C2 server and launch DDoS attacks. It can also target specific port numbers and IP addresses for DDoS.

Campaign overview (Palo Alto Networks)

D-Link has released security updates to address the flaws. However, there are still countless unpatched devices. Many are yet to be patched for the last two vulnerabilities (CVE-2022-26258, CVE-2022-28958) discovered in March and May 2022.

The low-attack complexity of the vulnerabilities lets the attacker gain remote code execution, and using arbitrary commands they can easily get malware binary. It is worth noting that the C2 address used in the current attack wave is different from the wave identified by Fortinet.

It is necessary to apply patches as soon as possible and keep your device updated to prevent the MooBot threat.

  1. Hackers behind Mirai botnet & DYN DDoS attacks plead guilty
  2. Reaper malware outshines Mirai; hits millions of IoT devices worldwide
  3. Tiny Mantis Botnet Can Launch More Powerful DDoS Attacks Than Mirai
  4. Persirai malware in action: IP cameras all across the world compromised
  5. Mirai Variant ‘OMG’ Turns IoT Devices into Proxy Servers for Cryptomining

Related news

FICORA, CAPSAICIN Botnets Exploit Old D-Link Router Flaws for DDoS Attacks

Mirai and Keksec botnet variants are exploiting critical vulnerabilities in D-Link routers. Learn about the impact, affected devices, and how to protect yourself from these attacks.

New Goldoon Botnet Targeting D-Link Devices by Exploiting 9-Year-Old Flaw

By Waqas A new botnet called Goldoon targets D-Link routers and NAS devices putting them at risk of DDoS attacks and more. Learn how weak credentials leave you vulnerable and how to secure your network. pen_spark This is a post from HackRead.com Read the original post: New Goldoon Botnet Targeting D-Link Devices by Exploiting 9-Year-Old Flaw

Mirai Variant MooBot Botnet Exploiting D-Link Router Vulnerabilities

A variant of the Mirai botnet known as MooBot is co-opting vulnerable D-Link devices into an army of denial-of-service bots by taking advantage of multiple exploits. "If the devices are compromised, they will be fully controlled by attackers, who could utilize those devices to conduct further attacks such as distributed denial-of-service (DDoS) attacks," Palo Alto Networks Unit 42 said in a

Mirai Variant MooBot Botnet Exploiting D-Link Router Vulnerabilities

A variant of the Mirai botnet known as MooBot is co-opting vulnerable D-Link devices into an army of denial-of-service bots by taking advantage of multiple exploits. "If the devices are compromised, they will be fully controlled by attackers, who could utilize those devices to conduct further attacks such as distributed denial-of-service (DDoS) attacks," Palo Alto Networks Unit 42 said in a

Mirai Variant MooBot Botnet Exploiting D-Link Router Vulnerabilities

A variant of the Mirai botnet known as MooBot is co-opting vulnerable D-Link devices into an army of denial-of-service bots by taking advantage of multiple exploits. "If the devices are compromised, they will be fully controlled by attackers, who could utilize those devices to conduct further attacks such as distributed denial-of-service (DDoS) attacks," Palo Alto Networks Unit 42 said in a

Mirai Variant MooBot Botnet Exploiting D-Link Router Vulnerabilities

A variant of the Mirai botnet known as MooBot is co-opting vulnerable D-Link devices into an army of denial-of-service bots by taking advantage of multiple exploits. "If the devices are compromised, they will be fully controlled by attackers, who could utilize those devices to conduct further attacks such as distributed denial-of-service (DDoS) attacks," Palo Alto Networks Unit 42 said in a

CVE-2018-6530: GitHub - soh0ro0t/Pwn-Multiple-Dlink-Router-Via-Soap-Proto: 日前我发现了D-Link DIR 880L/865L/868L/860L路由器存在多个XSS和命令注入漏洞,最主要的问题是路由器未对用户输入进行检查,导致恶意数据请求被执行,最终被远程攻击者控制整个设备。

OS command injection vulnerability in soap.cgi (soapcgi_main in cgibin) in D-Link DIR-880L DIR-880L_REVA_FIRMWARE_PATCH_1.08B04 and previous versions, DIR-868L DIR868LA1_FW112b04 and previous versions, DIR-65L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous versions, and DIR-860L DIR860LA1_FW110b04 and previous versions allows remote attackers to execute arbitrary OS commands via the service parameter.

HackRead: Latest News

Secure Gaming During the Holidays