Researchers for the first time have discovered a variant of the Mirai Internet of Things botnet that targets an vulnerability found in unpatched versions of the open-source Apache Struts web app development platform.
That bug is none other than the infamous CVE-2017-5638, a remote code execution flaw that was exploited in the Equifax data breach, according to a Sept. 9 blog post from Palo Alto Networks’ Unit 42 threat research division. And the decision to strategically incorporate this bug could indicate a larger movement from consumer device targets to enterprise targets,” reports post author and researcher Ruchna Nigam.
CVE-2017-5638 is actually just one of 16 vulnerabilities that the Mirai variant abuses, including RCE and command injections bugs in a wide variety of networking devices, routers, CCTVs and DVRs.
Unit 42 researchers uncovered samples of the Mirai variant on Sept. 7, tracing the threat to a pair of malicious domains, one of which was used in August to spread a new version of a second IoT botnet called Gafgyt.
The Gafgyt variant had been updated to include an exploit for CVE-2018-9866, a recently discovered, critical remote code execution bug found in older, unsupported versions of SMB cybersecurity firm SonicWall’s Global Management System (builds 8.1 and earlier).
“These samples first surfaced on August 5, less than a week after the publication of a Metasploit module for this vulnerability,” and less than three weeks after SonicWall disclosed the issue in a July 17 security advisory, Nigam said in the post.
Studied samples of the Gafgyt variant also included exploits for devices from Huawei and D-Link, and can launch a “Blacknurse” low-bandwidth Internet Control Message Protocol (ICMP) DDoS attack.
SonicWall issued a statement to SC Media reiterating that Gafgyt exploits an older vulnerability as opposed to a newly discovered bug. “The issue referenced only affects an older version of the GMS software (version 8.1) which was replaced by version 8.2 in December 2016,” the statement reads. “Customers and partners running GMS version 8.2 and above are protected against this vulnerability. Customers still using GMS version 8.1 should apply a hotfix supplied by SonicWall in August 2018 and plan for an immediate upgrade, as GMS 8.1 went out of support in February 2018.”