Security researchers at Akamai have discovered two new zero-day vulnerabilities being actively exploited to incorporate routers and video recorders into a hostile botnet. These vulnerabilities, previously unknown to both manufacturers and the security community, allow remote execution of malicious code on devices using default administrative credentials. The attackers have been leveraging these vulnerabilities to infect devices with Mirai, a powerful botnet software, to conduct distributed denial-of-service (DDoS) attacks.
The vulnerabilities are present in specific models of network video recorders and a wireless LAN router intended for hotels and residential applications, produced by a Japan-based manufacturer. The affected devices were found to have security flaws in the communication between their software and hardware. Akamai has reported these vulnerabilities to the manufacturers, with one confirming that security patches will be released next month.
The exploitation of these vulnerabilities involves command injection, requiring the attacker to authenticate themselves using the credentials configured in the vulnerable device. Akamai researcher Larry Cashdollar noted that devices with easily guessable logins are at heightened risk. The incomplete Internet scan by Akamai revealed at least 7,000 vulnerable devices, but the actual number could be higher.
Mirai, the botnet software used in these attacks, gained notoriety in 2016 for its massive DDoS attack capabilities. The current Mirai strain, primarily an older version known as JenX, has been modified and shows similarities to other Mirai variants. Akamai has provided Snort rules and indicators of compromise for organizations to detect and repel these attacks, although the specific vulnerable devices and their manufacturers remain unidentified.
This discovery underscores the ongoing threat posed by IoT botnets and the critical importance of cybersecurity vigilance in protecting against such sophisticated attacks.
Sources include: Ars Technica