Akamai analysts warn that the new Mirai botnet InfectedSlurs exploits two 0-day vulnerabilities for remote code execution on routers and NVR (Network Video Recorder). Infected devices become part of a DDoS botnet, which is then rented out to other attackers for profit.
Although researchers discovered InfectedSlurs recently, after attacks on the rarely used TCP port of Akamai honeypots in late October 2023, botnet activity began in late 2022. In the reported attacks, hackers made authentication attempts via POST requests, followed by an attempt to inject commands.
Experts decided to scan the Internet and found that the attacks, in particular, are exposed to devices of a specific manufacturer of NVR. A more detailed analysis revealed that the botnet also attacks unnamed wireless routers popular with home users and hotels, where hackers also discovered a zero-day RCE vulnerability.
Since manufacturers of vulnerable devices have not yet fixed the bugs that hackers use, details about vulnerabilities and the names of problematic gadgets have not yet been disclosed.
"We did a quick search on known CVEs for NVR devices of this manufacturer and were surprised to find that we have a new 0-day exploit that is actively used in real conditions. As part of the process of responsible disclosure of information about the vulnerability, the manufacturer informed us that it is already working on a fix, which is likely to be deployed in December 2023," the report says.
An unnamed router manufacturer also promised to release updates to fix the vulnerability in December 2023.
In addition, further investigation of malware revealed that InfectedSlurs uses the standard credentials specified in the manuals for some NVR products to install the bot client and perform other malicious actions.
According to Akamai, analysis of malvari samples showed only minor changes in the code compared to the original version of Mirai, so in general, InfectedSlurs is a self-propagating DDoS tool that supports attacks using SYN, UDP flood, and HTTP GET requests.
The malware's management infrastructure is relatively compact and, according to analysts, is also used to support hailBot malware operations.
The researchers write that they found an already deleted Telegram account associated with this botnet. This user posted screenshots showing about 10,000 Telnet bots and another 12,000 bots divided by specific types and brands of devices, which were designated as Vacron, ntel and UTT-Bots.
Although researchers discovered InfectedSlurs recently, after attacks on the rarely used TCP port of Akamai honeypots in late October 2023, botnet activity began in late 2022. In the reported attacks, hackers made authentication attempts via POST requests, followed by an attempt to inject commands.
Experts decided to scan the Internet and found that the attacks, in particular, are exposed to devices of a specific manufacturer of NVR. A more detailed analysis revealed that the botnet also attacks unnamed wireless routers popular with home users and hotels, where hackers also discovered a zero-day RCE vulnerability.
Since manufacturers of vulnerable devices have not yet fixed the bugs that hackers use, details about vulnerabilities and the names of problematic gadgets have not yet been disclosed.
"We did a quick search on known CVEs for NVR devices of this manufacturer and were surprised to find that we have a new 0-day exploit that is actively used in real conditions. As part of the process of responsible disclosure of information about the vulnerability, the manufacturer informed us that it is already working on a fix, which is likely to be deployed in December 2023," the report says.
An unnamed router manufacturer also promised to release updates to fix the vulnerability in December 2023.
In addition, further investigation of malware revealed that InfectedSlurs uses the standard credentials specified in the manuals for some NVR products to install the bot client and perform other malicious actions.
According to Akamai, analysis of malvari samples showed only minor changes in the code compared to the original version of Mirai, so in general, InfectedSlurs is a self-propagating DDoS tool that supports attacks using SYN, UDP flood, and HTTP GET requests.
The malware's management infrastructure is relatively compact and, according to analysts, is also used to support hailBot malware operations.
The researchers write that they found an already deleted Telegram account associated with this botnet. This user posted screenshots showing about 10,000 Telnet bots and another 12,000 bots divided by specific types and brands of devices, which were designated as Vacron, ntel and UTT-Bots.
