Aquabot, a Mirai Botnet Vararinant, is actively actively and actively involved in a network that can attach a dispersed (DDOS) attack by utilizing the moderate security defects that affect MITEL telephone. It has been observed to be exploiting.
The vulnerability in question is CVE-2024-41710 (CVSS score: 6.8). This is the case of a command injection in a boot process that allows you to run any command in a telephone context.
It affects the MITEL 6800 series, 6900 series, 6900W series SIP phone, MITEL 6970 Conference Unit. This was addressed by Maitel in mid -July 2024. The abuse of defective concept demonstration (POC) was released in August.
Other than the CVE-2024-41710, some of the other vulnerabilities targeted by the botnet include CVE -2018-10561, CVE -2018-10562, CVE-2018-17532, CVE-2012-31137, CVE-2023-26801 and A are included. Linksys E-Series A defect in remote code execution targeting devices.
“Aquabot is a botnet built from the Mirai framework with the ultimate goal of the distributed service refusal (DDOS),” said Akamai researcher Kail Lefon and Rally Cashdler. “It has been known since November 2023.”
Web Infrastructure Company has detected aggressive exploitation attempts for CVE-2024-41710 since early January 2025, and states that the attack reflects “almost the same POC” that develops botnet malware. Ta.
Attacks include running a shell script to get Aquabot in various CPU architectures using the “WGET” command.
The Aquabot Mirai Vararinity found in the attack has been evaluated as the third repetition of malware and reports to the command and control (C2) server when a kill signal is caught by an infected person, “Report_kill” It is equipped with a function. device. However, the transmission of this information has not been known to bring out the response from the server.
This new version is renamed “httpd.x86” in addition to triggering C2 communication when a specific signal is detected, to avoid drawing attention, and matches certain requirements such as local shells. It is programmed to end the process. It is suspected that the signal processing function is likely to be incorporated to create more stealth variants and detect malicious activities from competing botnets.
Several a threat person behind Aquabot suggests that the infringed host network is provided as a DDOS service as a Telegram DDOS service under the monar Cursinq firewall, eye service, and an iconette. There is evidence.
This development is a sign that MIRAI often lacks appropriate security functions or has reached the end -of -life period, and continues to bother devices connected to a wide Internet that can be accessed in the default configuration and password. is. For exploitation for DDOS attacks and important conduit.
“Threat -threatening stakeholders claim that botnets are used only for the purpose of the DDOS easing test and try to misunderstand researchers or law enforcement,” researchers said.
“Threat -related stakeholders claim that it is mere POC or something educational, but deeper analysis indicates that DDO is actually advertising as a service.
Source link
