Ethical Hacking News
A new Mirai-based botnet is spreading industrial router malware through zero-day exploits, compromising security across China, the US, Russia, Turkey, and Iran. To protect your devices, follow best practices such as keeping software up-to-date, disabling remote access when not needed, and changing default admin credentials.
The "Insult" botnet targets industrial routers and smart home devices using zero-day exploits. The botnet began exploiting vulnerabilities in November 2024, starting with the CVE-2024-12856 vulnerability in Four-Faith industrial routers. The botnet uses custom exploits for unknown vulnerabilities in Neterbit routers and Vimar smart home devices, alongside leveraging public exploits for over 20 different vulnerabilities to spread its malware. The primary objective of the botnet is conducting distributed denial-of-service (DDoS) attacks on specified targets for profit. The botnet's DDoS attacks are short in duration but high in intensity, lasting between 10 and 30 seconds but exceeding 100 Gbps in traffic. The botnet's spread is not limited to a single country or region, targeting devices across multiple countries including China, the US, Russia, Turkey, and Iran. Users are recommended to follow best practices such as installing device updates, disabling remote access, and changing default admin account credentials to mitigate the risk of infection from this botnet.
In a recent development that has left cybersecurity experts scrambling, a new botnet has emerged that targets industrial routers and smart home devices using zero-day exploits. The botnet, dubbed the "insult" due to its name's derogatory connotation, is the latest in a string of malicious networks designed to compromise the security of critical infrastructure.
According to researchers at Chainxin X Lab, the botnet began exploiting previously unknown vulnerabilities in industrial routers and smart home devices in November 2024. The attacks started with the CVE-2024-12856 vulnerability in Four-Faith industrial routers, which was discovered by VulnCheck in late December but gained notoriety around December 20. Since then, the botnet has continued to expand its reach, leveraging zero-day exploits for other vulnerabilities such as those found in Neterbit routers and Vimar smart home devices.
The botnet's tactics, tactics, and procedures (TTPs) are characteristic of the Mirai malware family, which has been responsible for a string of high-profile attacks on critical infrastructure in recent years. The botnet uses custom exploits for unknown vulnerabilities in Neterbit routers and Vimar smart home devices, alongside leveraging public exploits for over 20 different vulnerabilities to spread its malware.
The botnet's primary objective appears to be conducting distributed denial-of-service (DDoS) attacks on specified targets for profit. According to researchers at Chainxin X Lab, the botnet targets hundreds of entities daily, with activity peaking in October and November 2024. The botnet's DDoS attacks are short in duration but high in intensity, lasting between 10 and 30 seconds but exceeding 100 Gbps in traffic.
The botnet's spread is not limited to a single country or region, as it targets devices across China, the United States, Russia, Turkey, and Iran. The malware leverages a mix of public and private exploits to infect internet-exposed devices such as DVRs, industrial routers, smart home devices, ASUS routers (via N-day exploits), Huawei routers (via CVE-2017-17215), LB-Link routers (via CVE-2023-26801), Four-Faith Industrial Routers (via the zero-day now tracked as CVE-2024-12856), PZT cameras (via CVE-2024-8956 and CVE-2024-8957), Kguard DVR, Lilin DVR (via remote code execution exploits), Generic DVRs (using exploits like TVT editBlackAndWhiteList RCE), Vimar smart home devices (likely using an undisclosed vulnerability), and various 5G/LTE devices (likely via misconfigurations or weak credentials).
The botnet features a brute-forcing module for weak, Telnet passwords, uses custom UPX packing with unique signatures, and implements Mirai-based command structures for updating clients, scanning networks, and conducting DDoS attacks.
To mitigate the risk of infection from this botnet, cybersecurity experts recommend that users follow best practices such as installing the latest device updates from the vendor, disabling remote access if not needed, and changing default admin account credentials. By taking these precautions, individuals can significantly reduce their risk of becoming a victim of this malicious botnet.
Related Information:
https://www.bleepingcomputer.com/news/security/new-mirai-botnet-targets-industrial-routers-with-zero-day-exploits/
https://www.bleepingcomputer.com/news/security/new-botnet-exploits-vulnerabilities-in-nvrs-tp-link-routers/
https://nvd.nist.gov/vuln/detail/CVE-2024-12856
https://www.cvedetails.com/cve/CVE-2024-12856/
https://nvd.nist.gov/vuln/detail/CVE-2017-17215
https://www.cvedetails.com/cve/CVE-2017-17215/
https://nvd.nist.gov/vuln/detail/CVE-2023-26801
https://www.cvedetails.com/cve/CVE-2023-26801/
https://nvd.nist.gov/vuln/detail/CVE-2024-8956
https://www.cvedetails.com/cve/CVE-2024-8956/
https://nvd.nist.gov/vuln/detail/CVE-2024-8957
https://www.cvedetails.com/cve/CVE-2024-8957/
Published: Tue Jan 7 15:39:30 2025 by llama3.2 3B Q4_K_M
