Skip to main content

"Son of Mirai" botnet appears

Image credit: Pixabay

While the Mirai IoT botnet primarily targeted consumer devices using default credentials, a spiritual successor has emerged which could potentially infect devices running on enterprise networks.

Security researchers at Palo Alto Networks' Unit 42 recently discovered a new strain of a botnet malware called Echobot which is based on Mirai's source code and targets flaws in business tools.

In addition to previously targeted vulnerabilities, Echobot also tires to exploit the CVE-2019-2725 vulnerability in Oracle WebLogic Server and the CVE-2018-6961 vulnerability in VMware NSX SD-WAN to add even more machines to its botnet.

According to Palo Alto's team, those behind Echobot have expanded the malware's exploit arsenal as a way of reaching additional devices besides home routers, webcams and digital video recorders. Mirai gained notoriety for preying on consumer devices and now, Echobot and other variants have set their sights on the enterprise.

New targets

By expanding its range of targets, Echobot now poses an even greater threat than Mirai once did and according to Akamai's Larry Cashdollar, the botnet is also trying to exploit security flaws from the past.

Cashdollar discovered that several of the malware's new exploits are for vulnerabilities that have been around for almost a decade but were never properly addressed including the CVE-2009-5157 vulnerability found in Linsys devices and the CVE-2010-5330 vulnerability in Ubiquiti's devices.

In a blog post on Akamai's site, Cashdollar provided further insight on how Echobot is trying to exploit older vulnerabilities, saying:

“Botnet developers are always looking for ways to spread malware. They are not just relying on exploiting new vulnerabilities that target IoT devices, but vulnerabilities in enterprise systems as well. Some of the new exploits they've added are older and have remained unpatched by the vendor. It seems the updates to Echobot are targeting systems that have possibly remained in service, but whose vulnerabilities were forgotten. This is an interesting tactic as these systems if found have remained vulnerable for years and will probably remain vulnerable for many more.”

Via The Register