Site icon Panda Security Mediacenter

The Mirai botnet exploits a new vulnerability affecting companies around the world

Mirai-botnet

Malware or malicious code has been around for over 40 years now, but its use to obtain control of a group of Internet-connected systems in something called a ‘botnet’ is a relatively new phenomenon. Botnets have been behind some of the most costly security incidents of the last 10 years and, consequently, companies around the world are going to great lengths to counter this threat.

An example of this type of threat is Mirai, the botnet responsible for one of the largest denial of service (DDoS) attacks ever seen, and which affected leading names such as Twitter, Netflix, Spotify, or PayPal. This malware infected and lay dormant in thousands of IoT devices before the creators activated it on October 21, 2016, to attack the DNS service provider Dyn. The company’s services and those of its customers were down or interrupted for several hours.

It initially seemed that the scope of Mirai attacks was limited to IoT devices, though this theory was dismissed when further cases were detected. Cybercriminals had begun to use Mirai to open a new flank, attacks on devices running Linux. Mirai botnets are now trying to exploit a critical RCE flaw in F5’s BIG-IP software.

The latest Mirai target: BIG-IP devices

BIG-IP devices are used on government networks and by Internet service providers (ISPs), as well as by banks around the world and on many business networks, including 48 companies in the Fortune 50.

The CVE-2020-5902 vulnerability could allow an adversary, even if not authenticated, with access to the TMUI (the configuration utility) through the BIG-IP management port and/or Self IPs, to run arbitrary commands on the system, create or delete files, disable services, and run Java script arbitrarily, which could completely compromise the system.

According to results from  Shodan, the current number of devices vulnerable to CVE-2020-5902 exceeds 8,400 mostly in the USA and China. In fact, given the severity of the vulnerability and the potential impact, the U.S. Cyber Command repeated the warning issued by the company and called for organizations to install the corresponding patch as soon as possible.

The downloader of the Mirai botnet can be added to new malware strains. The tool scans for vulnerable BIG-IPs and attacks systems with CVE-2020-5902. CVE-2020-5902 is a remote code execution vulnerability (RCE) on the Traffic Management User Interface (TMUI) on BIG-IP devices. To exploit the vulnerability, an attacker needs to send an HTTP request to the server hosting the TMUI for the BIG-IP settings. According to researchers, a successful exploit of this security issue could lead to a system being completely compromised and expose the internal network.

To protect against this type of cyberattack, businesses should take adequate measures to ensure the security of their digital resources:

And if there is one thing that characterizes botnet attacks it is their stealth, so prevention and countermeasures must also be proactive, monitoring all processes on a company’s systems to ensure all-round business cybersecurity.

 

Exit mobile version