Cybersecurity researchers have spotted a new campaign to bring additional endpoints into the Mirai botnet.
According to a blog post from Akamai Security Intelligence Response Team (SIRT), unidentified threat actors discovered two new zero-day vulnerabilities and are currently exploiting them to strengthen the infamous DDoS botnet.
Given that the zero-days are yet to receive a patch, Akamai was careful not to give out too much information and point even more hackers in the right direction.
Weak credentials
“Although this information is limited, we felt it was our responsibility to alert the community about the ongoing exploitation of these CVEs in the wild. There is a thin line between responsible disclosing information to help defenders, and oversharing information that can enable further abuse by hordes of threat actors,” the company stressed.
All the researchers said is that the attackers found the flaws in at least one model of a network video recorder, as well as in an “outlet-based wireless LAN router built for hotels and residential applications.” The manufacturer is a Japanese firm that “produces multiple switches and routers”.
As for the specifics of the vulnerability itself, it was found in a “very common” feature, which led the researchers to speculate that other router models sold by the same manufacturer might have it, too.
The flaws grant remote code execution (RCE) abilities, and while those are currently used to drop Mirai, they could be used for virtually any other malware out there. The silver lining is that in order to abuse the flaw, the attacker first needs some form of authentication. That’s why the attackers seem to be going for endpoints with weak or non-existent credentials. Those with passwords such as “password” or “password1” are the first in line to be compromised.
Akamai notified both manufacturers of the discovered flaws, and while one acknowledged the findings and promised a patch next month, the other one is silent. The status of that patch is currently unknown.