Headline
Mirai Variant MooBot Botnet Exploiting D-Link Router Vulnerabilities
A variant of the Mirai botnet known as MooBot is co-opting vulnerable D-Link devices into an army of denial-of-service bots by taking advantage of multiple exploits. “If the devices are compromised, they will be fully controlled by attackers, who could utilize those devices to conduct further attacks such as distributed denial-of-service (DDoS) attacks,” Palo Alto Networks Unit 42 said in a
A variant of the Mirai botnet known as MooBot is co-opting vulnerable D-Link devices into an army of denial-of-service bots by taking advantage of multiple exploits.
“If the devices are compromised, they will be fully controlled by attackers, who could utilize those devices to conduct further attacks such as distributed denial-of-service (DDoS) attacks,” Palo Alto Networks Unit 42 said in a Tuesday report.
MooBot, first disclosed by Qihoo 360’s Netlab team in September 2019, has previously targeted LILIN digital video recorders and Hikvision video surveillance products to expand its network.
In the latest wave of attacks discovered by Unit 42 in early August 2022, as many as four different flaws in D-Link devices, both old and new, have paved the way for the deployment of MooBot samples. These include -
- CVE-2015-2051 (CVSS score: 10.0) - D-Link HNAP SOAPAction Header Command Execution Vulnerability
- CVE-2018-6530 (CVSS score: 9.8) - D-Link SOAP Interface Remote Code Execution Vulnerability
- CVE-2022-26258 (CVSS score: 9.8) - D-Link Remote Command Execution Vulnerability, and
- CVE-2022-28958 (CVSS score: 9.8) - D-Link Remote Command Execution Vulnerability
Successful exploitation of the aforementioned flaws could lead to remote code execution and the retrieval of a MooBot payload from a remote host, which then parses instructions from a command-and-control (C2) server to launch a DDoS attack on a specific IP address and port number.
Customers of D-Link appliances are highly recommended to apply patches and upgrades released by the company to mitigate potential threats.
“The vulnerabilities […] have low attack complexity but critical security impact that can lead to remote code execution,” the researchers said. “Once the attacker gains control in this manner, they could take advantage by including the newly compromised devices into their botnet to conduct further attacks such as DDoS.”
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
Related news
By Waqas A new botnet called Goldoon targets D-Link routers and NAS devices putting them at risk of DDoS attacks and more. Learn how weak credentials leave you vulnerable and how to secure your network. pen_spark This is a post from HackRead.com Read the original post: New Goldoon Botnet Targeting D-Link Devices by Exploiting 9-Year-Old Flaw
By Deeba Ahmed The botnet is exploiting four different vulnerabilities in D-Link devices. This is a post from HackRead.com Read the original post: Mirai botnet resurfaces with MooBot variant to target D-Link devices
OS command injection vulnerability in soap.cgi (soapcgi_main in cgibin) in D-Link DIR-880L DIR-880L_REVA_FIRMWARE_PATCH_1.08B04 and previous versions, DIR-868L DIR868LA1_FW112b04 and previous versions, DIR-65L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous versions, and DIR-860L DIR860LA1_FW110b04 and previous versions allows remote attackers to execute arbitrary OS commands via the service parameter.