Technology

TP-Link and NR routers targeted by worrying new botnet

December 26, 2024

Researchers discovered multiple vulnerable endpoints being targeted by a new Mirai variant
The endpoints are assimilated into a botnet and used for DDoS attacks
The vulnerabilities used in the attack are years old

Mirai, an infamous botnet targeting Internet of Things (IoT) devices to use in Distributed Denial of Service (DDoS) attacks, has gotten a new variant which is now targeting multiple vulnerable devices, experts hae warned.

The malware is reportedly going after DigiEver DS-2105 Pro NVRs, multiple TP-Link routers with outdated firmware, and Teltonika RUT9XX routers. For DigiEver, Mirai is abusing an unpatched remote code execution (RCE) vulnerability that doesn’t even have a tracking number.

For TP-Link, Mirai abuses CVE-2023-1389, and for Teltonika, it’s going for CVE-2018-17532. It’s worth noting that the TP-Link flaw is a year old, while the Teltonika one is roughly six years old. That means that the crooks are mostly targeting organizations with poor cybersecurity and patching practices.

Mirai is an active threat

The campaign most likely started in September or October 2024, and according to researchers from Akamai, uses XOR and ChaCha20 encryption, and targets different system architectures, including ARM, MIPS, and x86.

“Although employing complex decryption methods isn’t new, it suggests evolving tactics, techniques, and procedures among Mirai-based botnet operators,” Akamai said.

“This is mostly notable because many Mirai-based botnets still depend on the original string obfuscation logic from recycled code that was included in the original Mirai malware source code release.”

Experts from Juniper Research recently warned Mirai operators were looking for easy-to-compromise Session Smart routers.

“On Wednesday, December 11, 2024, several customers reported suspicious behavior on their Session Smart Network (SSN) platforms,” Juniper said in its security advisory.

Researchers also recently reported cybercriminals were exploiting a flaw in the AVM1203, a surveillance camera model designed and sold by Taiwanese manufacturer AVTECH, to hijack the endpoints and assimilate them into the Mirai botnet.

Via BleepingComputer

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

LEAVE A REPLY Cancel reply

EDITOR PICKS

POPULAR POSTS

QUICK LINKS

ABOUT US

FOLLOW US

Cookie bar