A new botnet is spreading Mirai across the world, with thousands of devices affected

DDoS attack
(Image credit: FrameStockFootages / Shutterstock)

Cybersecurity researchers have spotted a new campaign to bring additional endpoints into the Mirai botnet. 

According to a blog post from Akamai Security Intelligence Response Team (SIRT), unidentified threat actors discovered two new zero-day vulnerabilities and are currently exploiting them to strengthen the infamous DDoS botnet.

Given that the zero-days are yet to receive a patch, Akamai was careful not to give out too much information and point even more hackers in the right direction.

Reader Offer: $50 Amazon gift card with demo

Reader Offer: $50 Amazon gift card with demo
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?

Weak credentials

“Although this information is limited, we felt it was our responsibility to alert the community about the ongoing exploitation of these CVEs in the wild. There is a thin line between responsible disclosing information to help defenders, and oversharing information that can enable further abuse by hordes of threat actors,” the company stressed.

All the researchers said is that the attackers found the flaws in at least one model of a network video recorder, as well as in an “outlet-based wireless LAN router built for hotels and residential applications.” The manufacturer is a Japanese firm that “produces multiple switches and routers”.

As for the specifics of the vulnerability itself, it was found in a “very common” feature, which led the researchers to speculate that other router models sold by the same manufacturer might have it, too. 

The flaws grant remote code execution (RCE) abilities, and while those are currently used to drop Mirai, they could be used for virtually any other malware out there. The silver lining is that in order to abuse the flaw, the attacker first needs some form of authentication. That’s why the attackers seem to be going for endpoints with weak or non-existent credentials. Those with passwords such as “password” or “password1” are the first in line to be compromised. 

Akamai notified both manufacturers of the discovered flaws, and while one acknowledged the findings and promised a patch next month, the other one is silent. The status of that patch is currently unknown.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.