Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/11/2018
04:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Mirai, Gafgyt Botnets Resurface with New Tricks

A new version of Mirai exploits the Apache Struts flaw linked to the Equifax breach, while Gafgyt targets an old flaw in SonicWall.

Well-known Internet of Things (IoT) botnets Mirai and Gafgyt have resurfaced with new variants targeting vulnerabilities in Apache Struts and SonicWall, respectively.

Researchers in Palo Alto Networks' Unit 42 detected the new versions of Mirai and Gafgyt, both of which have been linked to massive distributed denial of service (DDoS) attacks since November 2016. They suggest both botnets are veering away from consumer targets and toward the enterprise.

The Mirai samples were found in the first week of September, while the Gafgyt samples were available on and off throughout the month of August. Both were using the same domain.

Mirai is an evolution of the Gafgyt botnet (also known as Bashlite or Torlus), an IoT/Linux botnet, explains Ryan Olson, vice president of threat intelligence for Unit 42. It was originally designed to spread across Linux devices by brute-forcing default credentials so the attacked devices could then be commanded to launch DDoS attacks.

"Neither is more inherently dangerous than the other, though, as we note, these samples of Mirai are notable for how many vulnerabilities they target," Olson says of the recent findings.

On Sept. 7, Unit 42 discovered samples of another Mirai variant packing exploits targeting 16 distinct vulnerabilities. It's not the first time the botnet has been seen leveraging multiple exploits in a single sample. However, it is the first time Mirai has leveraged a vulnerability in Apache Struts – the same bug associated with the massive Equifax data breach in September 2017.

The other 15 vulnerabilities all target IoT devices and have previously been seen in different combinations within different Mirai variants, says Olson, who adds that "the Struts addition is the most notable change in this version of Mirai we found." It's also worth noting these samples don't include the brute-force functionality generally used in the Mirai botnet.

Researchers found the same domain hosting the Mirai samples previously resolved to a different IP in August. During that time, the IP was sporadically hosting samples of Gafgyt that included an exploit against CVE-2018-9866, a SonicWall bug affecting older versions of the SonicWall Global Management System (GMS).

Both the Apache Struts and SonicWall exploits are deemed Critical, with a CVSS score of 10. Their effectiveness depends on the number of exposed systems, Olson says. The Apache Struts vuln has been public for a year. The SonicWall bug only affects unsupported versions; the company advises users running GMS software to ensure they're upgraded to version 8.2 as GMS version 8.1 went out of support in Feb. 2018.

"For either to be effective, an organization needs to be behind on their versions and updates," he says.

Olson believes the two new variants of Mirai and Gafgyt come from the same actor but couldn't speak to why they might have chosen to leverage two botnets instead of one.

"Seeing as the samples originated from IPs that resolved to the same domain at different times, and based on some other OPSEC failures, I'm fairly certain these originate from the same actor/group," says Olson of their starting point. "I can't pinpoint any advantage one has over the other to explain the choice of using different base source codes."

For now, it seems the attackers are testing different vulnerabilities to gauge their efficiency at herding the maximum number of bots, giving them greater power for a DDoS, Olson says. A move to the enterprise would allow the botnets access to greater Internet bandwidth than individual home users and connections, he adds – a sign the bots may be targeting businesses.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why AI Will Create Far More Jobs Than It Replaces
John DiLullo, CEO, Lastline,  5/14/2019
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
Baltimore Ransomware Attack Takes Strange Twist
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12216
PUBLISHED: 2019-05-20
An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is a heap-based buffer overflow in the SDL2_image function IMG_LoadPCX_RW at IMG_pcx.c.
CVE-2019-12217
PUBLISHED: 2019-05-20
An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is a NULL pointer dereference in the SDL stdio_read function in file/SDL_rwops.c.
CVE-2019-12218
PUBLISHED: 2019-05-20
An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is a NULL pointer dereference in the SDL2_image function IMG_LoadPCX_RW at IMG_pcx.c.
CVE-2019-12219
PUBLISHED: 2019-05-20
An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is an invalid free error in the SDL function SDL_SetError_REAL at SDL_error.c.
CVE-2019-12220
PUBLISHED: 2019-05-20
An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is an out-of-bounds read in the SDL function SDL_FreePalette_REAL at video/SDL_pixels.c.