Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/11/2018
04:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Mirai, Gafgyt Botnets Resurface with New Tricks

A new version of Mirai exploits the Apache Struts flaw linked to the Equifax breach, while Gafgyt targets an old flaw in SonicWall.

Well-known Internet of Things (IoT) botnets Mirai and Gafgyt have resurfaced with new variants targeting vulnerabilities in Apache Struts and SonicWall, respectively.

Researchers in Palo Alto Networks' Unit 42 detected the new versions of Mirai and Gafgyt, both of which have been linked to massive distributed denial of service (DDoS) attacks since November 2016. They suggest both botnets are veering away from consumer targets and toward the enterprise.

The Mirai samples were found in the first week of September, while the Gafgyt samples were available on and off throughout the month of August. Both were using the same domain.

Mirai is an evolution of the Gafgyt botnet (also known as Bashlite or Torlus), an IoT/Linux botnet, explains Ryan Olson, vice president of threat intelligence for Unit 42. It was originally designed to spread across Linux devices by brute-forcing default credentials so the attacked devices could then be commanded to launch DDoS attacks.

"Neither is more inherently dangerous than the other, though, as we note, these samples of Mirai are notable for how many vulnerabilities they target," Olson says of the recent findings.

On Sept. 7, Unit 42 discovered samples of another Mirai variant packing exploits targeting 16 distinct vulnerabilities. It's not the first time the botnet has been seen leveraging multiple exploits in a single sample. However, it is the first time Mirai has leveraged a vulnerability in Apache Struts – the same bug associated with the massive Equifax data breach in September 2017.

The other 15 vulnerabilities all target IoT devices and have previously been seen in different combinations within different Mirai variants, says Olson, who adds that "the Struts addition is the most notable change in this version of Mirai we found." It's also worth noting these samples don't include the brute-force functionality generally used in the Mirai botnet.

Researchers found the same domain hosting the Mirai samples previously resolved to a different IP in August. During that time, the IP was sporadically hosting samples of Gafgyt that included an exploit against CVE-2018-9866, a SonicWall bug affecting older versions of the SonicWall Global Management System (GMS).

Both the Apache Struts and SonicWall exploits are deemed Critical, with a CVSS score of 10. Their effectiveness depends on the number of exposed systems, Olson says. The Apache Struts vuln has been public for a year. The SonicWall bug only affects unsupported versions; the company advises users running GMS software to ensure they're upgraded to version 8.2 as GMS version 8.1 went out of support in Feb. 2018.

"For either to be effective, an organization needs to be behind on their versions and updates," he says.

Olson believes the two new variants of Mirai and Gafgyt come from the same actor but couldn't speak to why they might have chosen to leverage two botnets instead of one.

"Seeing as the samples originated from IPs that resolved to the same domain at different times, and based on some other OPSEC failures, I'm fairly certain these originate from the same actor/group," says Olson of their starting point. "I can't pinpoint any advantage one has over the other to explain the choice of using different base source codes."

For now, it seems the attackers are testing different vulnerabilities to gauge their efficiency at herding the maximum number of bots, giving them greater power for a DDoS, Olson says. A move to the enterprise would allow the botnets access to greater Internet bandwidth than individual home users and connections, he adds – a sign the bots may be targeting businesses.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19668
PUBLISHED: 2020-02-27
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-17963. Reason: This candidate is a reservation duplicate of CVE-2018-17963. Notes: All CVE users should reference CVE-2018-17963 instead of this candidate. All references and descriptions in this candidate have been removed to preve...
CVE-2019-12882
PUBLISHED: 2020-02-27
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2017-6363
PUBLISHED: 2020-02-27
** DISPUTED ** In the GD Graphics Library (aka LibGD) through 2.2.5, there is a heap-based buffer over-read in tiffWriter in gd_tiff.c. NOTE: the vendor says "In my opinion this issue should not have a CVE, since the GD and GD2 formats are documented to be 'obsolete, and should only be used for...
CVE-2017-6371
PUBLISHED: 2020-02-27
Synchronet BBS 3.16c for Windows allows remote attackers to cause a denial of service (service crash) via a long string in the HTTP Referer header.
CVE-2017-5861
PUBLISHED: 2020-02-27
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-1000020. Reason: This candidate is a reservation duplicate of CVE-2017-1000020. Notes: All CVE users should reference CVE-2017-1000020 instead of this candidate. All references and descriptions in this candidate have been removed to...