Threat actors are exploiting previously unknown bugs in certain routers and network video recorder (NVR) devices to build a Mirai-based distributed denial-of-service (DDoS) botnet, dubbed InfectedSlurs.
The newly discovered zero-day remote code execution vulnerabilities can be exploited if the device manufacturers’ default admin credentials have not been changed — a security measure users very often fail to take.
In a post this week, researchers at Akamai’s security intelligence response team (SIRT) said they discovered the botnet through their global honeypots last month and identified it was targeting network video recorder (NVR) devises from a specific manufacturer.
“The SIRT did a quick check for CVEs known to impact this vendor’s NVR devices and was surprised to find that we were looking at a new zero-day exploit being actively leveraged in the wild,” the researchers wrote.
Further investigation revealed a second device from a different manufacturer — a wireless LAN router designed for hotels and residential use — was also being targeted by the threat actors behind the botnet.
The researchers said they alerted the manufacturers to the respective vulnerabilities and were told by both that they expected to release patches for the affected devices next month. Until that occurred, Akamai would not identify the manufacturers.
“There is a thin line between responsible disclosing information to help defenders, and oversharing information that can enable further abuse by hordes of threat actors,” the researchers said.
In the case of the router the threat group was targeting, it was manufactured by a Japanese vendor that produced multiple switches and routers. Japan’s Computer Emergency Response Team (JPCERT) had confirmed the exploit, but Akamai did not know if more than one model in the company’s catalog was affected.
“The feature being exploited is a very common one, and it’s possible there is code reuse across product line offerings,” the researchers said.
Akamai labelled the botnet “InfectedSlurs” after the researchers discovered racial epithets and offensive language within the naming conventions used for the command-and-control domains associated with the botnet.
Mirai malware has been around since 2016, with dozens of variants appearing over the years. The group responsible for the InfectedSlurs botnet — which has not been identified — appeared to be primarily using an older JenX Mirai variant from 2018, the researchers said.
The JenX variant was known for exploiting hosting services running multiplayer versions of Grand Theft Auto to infect IoT devices.
The researchers said they would reveal more about the InfectedSlurs campaign after the manufacturers of the affected devices were able to mitigate the attacks.
“We plan to publish a follow-up blog post with additional details and deeper coverage of the devices and exploit payloads once the vendors and CERTs feel confident that responsible disclosure, patching, and remediation have run their course,” they said.
In the meantime, they recommended security teams checked internet of things (IoT) devices such as NVRs to ensure they were not still set to their default credentials.
“If you find devices believed to be vulnerable in your environments, isolate them if possible and investigate for potential compromise.”