The Mirai botnet, one of a handful of botnets that target IoT devices, has been causing serious problems for more than two years now, playing a part in a number of large-scale DDoS attacks and other incidents. The malware behind the network has used a variety of exploits in that time, and recently researchers have discovered some samples of Mirai that are targeting the same Apache Struts vulnerability that was used in the Equifax data breach last year.
There a number of individual botnets that use the Mirai malware and there are different versions of the malware floating around, as well. Each version contains exploits for different vulnerabilities, some in consumer IoT devices, some in popular software, and some in enterprise apps. The samples that researchers from Palo Alto Networks’ Unit 42 team discovered in recent days contain more than a dozen individual exploits, but the one that stands out is for a bug in the Apache Struts framework that surfaced in 2017. That flaw allows an attacker to run arbitrary code on a vulnerable machine.
“On September 7, 2018, Unit 42 found samples of a Mirai variant that incorporates exploits targeting 16 separate vulnerabilities. While the use of multiple exploits within a single sample of Mirai has been observed in the past, this is the first known instance of Mirai targeting a vulnerability in Apache Struts,” Ruchna Nigam of Unit 42 wrote in an analysis of the new Mirai samples.
“While these samples are variants of Mirai, they don’t include the bruteforce functionality generally used by Mirai. They use l[.]ocalhost[.]host:47883 as C2, and the same encryption scheme as Mirai with the key 0xdeadf00d.”
Historically, Mirai operators have targeted IoT devices, mainly consumer-grade gear but also some devices used in enterprises, including routers and web servers. The existence of the new sample that includes the Struts exploit is evidence that some of the Mirai botnets are specifically going after enterprises now, Nigam said.
In addition to the Mirai-Struts connection, the Unit 42 researchers also discovered a sample of the Gafgyt botnet malware that’s attacking a freshly disclosed vulnerability in some older versions of SonicWall’s Global Management System virtual appliance. The bug only affects unsupported versions and isn’t found in newer versions, but it’s critical and can be used to run abritrary code.
“A vulnerability in lack of validation of user-supplied parameters pass to XML-RPC calls on SonicWall Global Management System (GMS) virtual appliance's, allow remote user to execute arbitrary code,” the SonicWall advisory says.
The Palo Alto Networks researchers discovered a domain that was a command-and-control server used by Mirai later resolved to a different IP address that included the new samples of Gafgyt.
“These samples first surfaced on August 5, less than a week after the publication of a Metasploit module for this vulnerability,” Nigam said.