Industrial routers hit by zero-days from new Mirai botnets

Chinese researchers discovered a variant of Mirai with an offensive name
It targets industrial routers and smart home devices with zero-day failures, misconfigurations, and bad passwords
About 15,000 active IP addresses were found

A new malicious botnet was recently observed spreading through zero-day vulnerabilities and assimilating industrial routers and smart home devices.

Cybersecurity researchers from Chinese outfit Qi’anxin XLab claim that the botnet is based on Mirai, a notorious piece of malware known to be behind some of the largest and most devastating Distributed Denial of Service (DDoS) attacks.

However, the new versions differ greatly from the original Mirai as they exploit more than 20 vulnerabilities, targeting weak Telnet passwords as a means of distribution and spread. Some of the vulnerabilities have never been seen before and have not yet been assigned CVEs. Among them are errors in Neterbit routers and Vimar smart home devices.

Intense attacks

The researchers also observed that CVE-2024-12856 was used to infect devices. This is a severe (7.2/10) command injection vulnerability found in Four-Faith industrial routers.

The botnet is called “gayfemboy” and apparently has around 15,000 active IP addresses in the US, Turkey, Iran, China and Russia. The botnet mostly targets these devices, so if you’re running any of them, be on the lookout for indicators of compromise.

ASUS routers, Huawei routers, Neterbit routers, LB-Link routers, Four-Faith industrial routers, PZT cameras, Kguard DVR, Lilin DVR, Generic DVRs, Vimar smart home devices and other various 5G/LTE -devices with misconfigurations or weak credentials.

Whoever is behind this botnet isn’t wasting their time either. Since February last year, it has been running various DDoS attacks, with peak performance recorded in October and November 2024. The targets are mostly located in China, USA, UK, Germany and Singapore.

The attacks usually last between 10 and 30 seconds and are quite intense, exceeding 100 Gbps in traffic, which can disrupt even the most robust infrastructures.

“The targets of attack are worldwide and spread across different industries,” the researchers said. “The main targets of attack are distributed in China, the United States, Germany, the United Kingdom and Singapore,” they concluded.

Via Bleeping Computer

Must Read

Leave a Comment Cancel Reply