New Mirai Botnet Targets Industrial Routers with Zero-Day Exploits
A sophisticated Mirai-based botnet is escalating its attacks, leveraging zero-day exploits to target industrial routers and smart home devices. This development marks a significant increase in the threat posed by this type of botnet, which is known for its ability to launch large-scale distributed denial-of-service (DDoS) attacks. Researchers at Chainxin X Lab have been monitoring the botnet’s activities since its emergence in February of the previous year, observing a concerning pattern of increasingly sophisticated attacks.
The Mirai Botnet’s Expanding Arsenal
The botnet’s operations began exploiting previously unknown vulnerabilities in November 2024. One of the key vulnerabilities exploited is CVE-2024-12856, affecting Four-Faith industrial routers. VulnCheck initially discovered this vulnerability in late December, but evidence suggests exploitation attempts began around December 20th.
Beyond CVE-2024-12856, the Mirai botnet also employs custom-developed exploits targeting vulnerabilities in Neterbit routers and Vimar smart home devices. These custom exploits highlight the botnet’s capacity for advanced threat development and its focus on exploiting less-well-known vulnerabilities.
Botnet Profile and Targets
The Mirai botnet, identified by a homophobic name, currently maintains approximately 15,000 daily active bot nodes. Its geographic reach is extensive, with a significant presence in China, the United States, Russia, Turkey, and Iran. Its primary objective appears to be financially motivated DDoS attacks, targeting hundreds of entities daily. Activity peaked in October and November 2024.
The botnet’s DDoS attacks, while short in duration (10-30 seconds), are incredibly intense, exceeding 100 Gbps in traffic. This intensity can disrupt even robust infrastructures.
“The targets of attacks are all over the world and distributed in various industries,” explains X Lab. “The main targets of attacks are distributed in China, the United States, Germany, the United Kingdom, and Singapore,” the researchers add.
Targeted Devices and Vulnerabilities
The Mirai botnet’s expansive attack surface includes a wide range of devices and vulnerabilities:
- ASUS routers: Exploited via N-day exploits (known vulnerabilities).
- Huawei routers: Exploited via CVE-2017-17215.
- Neterbit routers: Exploited via a custom exploit.
- LB-Link routers: Exploited via CVE-2023-26801.
- Four-Faith Industrial Routers: Exploited via the zero-day vulnerability CVE-2024-12856.
- PZT cameras: Exploited via CVE-2024-8956 and CVE-2024-8957.
- Kguard DVRs
- Lilin DVRs: Exploited via remote code execution exploits.
- Generic DVRs: Exploited using exploits like TVT editBlackAndWhiteList RCE.
- Vimar smart home devices: Exploited via an undisclosed vulnerability.
- Various 5G/LTE devices: Likely exploited via misconfigurations or weak credentials.
The botnet also incorporates a brute-forcing module for weak Telnet passwords, uses custom UPX packing with unique signatures, and implements Mirai-based command structures for updating clients, scanning networks, and conducting DDoS attacks. This combination of techniques allows the botnet to maintain high infection rates across diverse device types.
Mitigation and Protection
Users can protect their devices by taking several precautions:
- Install the latest device updates: Regularly update firmware from the vendor to patch known vulnerabilities.
- Disable remote access: Unless absolutely necessary, disable remote access to devices to reduce the attack surface.
- Change default credentials: Never use default admin account credentials. Choose strong, unique passwords.
The emergence of this sophisticated Mirai botnet underscores the ongoing need for robust cybersecurity practices across all sectors, particularly in critical infrastructure. The use of zero-day exploits highlights the importance of proactive security measures and continuous monitoring for emerging threats. The widespread impact and the intensity of the DDoS attacks launched by this Mirai botnet emphasize the need for continuous vigilance and the adoption of best practices to protect against these evolving threats.
