Microsoft researchers reported that the most recent distribution of Zerobot includes additional capabilities, such as exploiting vulnerabilities in Apache and Apache Spark (CVE-2021-42013 and CVE-2022-33891 respectively), and new DDoS attack capabilities.
In a Dec. 21 blog post, researchers from Microsoft Security Threat Intelligence (MSTI) described Zerobot as a Go-based botnet that spreads primarily through IoT and web application vulnerabilities.
Upon gaining device access, MSTI said Zerobot injects a malicious payload, which may be a generic script called zero.sh that downloads and attempts to execute Zerobot, or a script that downloads the Zerobot binary of a specific architecture.
The researchers said the script that looks to download different Zerobot binaries attempts to identify the architecture by brute-force, then it downloads and executes binaries of various architectures until it succeeds.
Zerobot and other methods of forming botnet armies are about as serious as it gets, said Bud Broomhead, chief executive officer at Viakoo. Broomhead said threat actors gain not just one foothold in a network, but thousands of them when IoT/OT devices are infected. Broomhead also added that DDoS attacks are increasing in size, frequency, and duration — up over 90% year-over-year by some estimates — and it’s because the spread of bots like Zerobot have been largely unchecked.
“Threat actors will always go to where defenses are weakest and the potential for exploits is highest — and that’s exactly what IoT and OT devices offer today,” said Broomhead. “Many cyber defenses rely on agent-based technology to protect IT systems. IoT/OT devices can’t accept agents, making IT-oriented solutions ineffective in stopping threats like Zerobot.”
Malware that has the ability to affect IoT devices should raise some eyebrows among security teams, said Andrew Barratt, vice president at Coalfire. Barratt said this discovery has the potential to uncover whole range of issues from a privacy perspective to more seriously, an impact on life.
“Imagine, particularly with the heavy cold setting across North America, a malware that manipulated heating systems in exchange for a ransomware-style payment,” said Barratt. “Security teams and end consumers of IoT devices need to ensure they're not exposing these directly to the internet by taking extra care to lock down the devices and preferably firewall the affected ports so they're not easy to connect to one another.”
