A newly discovered variant of Echobot, an offshoot of the Mirai family of Internet of Things botnet malware, was found to contain a whopping 26 different exploits for infecting victim machines. This revelation is the latest in a string of research reports detailing Mirai-related malwares with increasingly large exploit totals.
In a company blog post today, Akamai Technologies researcher Larry Cashdollar reported finding the new version of Echobot, which added exploits for AirOS, Asmax, DD-WRT, D-Link, Linksys, Seowon Intech, Yealink and Zeroshell products, on top of previously observed Echobot exploits for products from ADM, Asus, Belkin, Blackbot, Dell, Dreambox, Geutebruck, HooToo, Netgear, NUUO, Oracle, Realtek, SuperSign, UMotion, VeraLite, VMware, wePresent and WIFICAM.
Many of the exploits were of the remote code execution variety, Cashdollar noted.
“What I found the most interesting, and not so surprising, is the inclusion of cross-application vulnerabilities,” Cashdollar wrote. “For example, rather than sticking to devices with embedded OSs like routers, cameras, and DVRs, IoT botnets are now using vulnerabilities in enterprise web (Oracle WebLogic) and networking software (VMware SD-WAN) to infect targets and propagate malware.”
“Also of note is the inclusion of 10+ year old exploits for network devices that I believe may never have been patched by the vendors. This alludes to the botnet developers deliberately targeting unpatched legacy vulnerabilities,” Cashdollar continued.
On June 6, Palo Alto Networks’ Unit 42 threat intelligence team published research on a Mirai variant with 18 exploits, eight of which it said were new to the IoT bot at the time. And on May 24, Trend Micro reported on a Mirai variant featuring a unique combination of 13 exploits.