A new version of Mirai exploits the Apache Struts flaw linked to the Equifax breach, while Gafgyt targets an old flaw in SonicWall.
Well-known Internet of Things (IoT) botnets Mirai and Gafgyt have resurfaced with new variants targeting vulnerabilities in Apache Struts and SonicWall, respectively.
Researchers in Palo Alto Networks’ Unit 42 detected the new versions of Mirai and Gafgyt, both of which have been linked to massive distributed denial of service (DDoS) attacks since November 2016. They suggest both botnets are veering away from consumer targets and toward the enterprise.
The Mirai samples were found in the first week of September, while the Gafgyt samples were available on and off throughout the month of August. Both were using the same domain.
Mirai is an evolution of the Gafgyt botnet (also known as Bashlite or Torlus), an IoT/Linux botnet, explains Ryan Olson, vice president of threat intelligence for Unit 42. It was originally designed to spread across Linux devices by brute-forcing default credentials so the attacked devices could then be commanded to launch DDoS attacks.
“Neither is more inherently dangerous than the other, though, as we note, these samples of Mirai are notable for how many vulnerabilities they target,” Olson says of the recent findings.
On Sept. 7, Unit 42 discovered samples of another Mirai variant packing exploits targeting 16 distinct vulnerabilities. It’s not the first time the botnet has been seen leveraging multiple exploits in a single sample. However, it is the first time Mirai has leveraged a vulnerability in Apache Struts – the same bug associated with the massive Equifax data breach in September 2017.
The other 15 vulnerabilities all target IoT devices and have previously been seen in different combinations within different Mirai variants, says Olson, who adds that “the Struts addition is the most notable change in this version of Mirai we found.” It’s also worth noting these samples don’t include the brute-force functionality generally used in the Mirai botnet.
Researchers found the same domain hosting the Mirai samples previously resolved to a different IP in August. During that time, the IP was sporadically hosting samples of Gafgyt that included an exploit against CVE-2018-9866, a SonicWall bug affecting older versions of the SonicWall Global Management System (GMS).
Both the Apache Struts and SonicWall exploits are deemed Critical, with a CVSS score of 10. Their effectiveness depends on the number of exposed systems, Olson says. The Apache Struts vuln has been public for a year. The SonicWall bug only affects unsupported versions; the company advises users running GMS software to ensure they’re upgraded to version 8.2 as GMS version 8.1 went out of support in Feb. 2018.
“For either to be effective, an organization needs to be behind on their versions and updates,” he says.
Olson believes the two new variants of Mirai and Gafgyt come from the same actor but couldn’t speak to why they might have chosen to leverage two botnets instead of one.
“Seeing as the samples originated from IPs that resolved to the same domain at different times, and based on some other OPSEC failures, I’m fairly certain these originate from the same actor/group,” says Olson of their starting point. “I can’t pinpoint any advantage one has over the other to explain the choice of using different base source codes.”
For now, it seems the attackers are testing different vulnerabilities to gauge their efficiency at herding the maximum number of bots, giving them greater power for a DDoS, Olson says. A move to the enterprise would allow the botnets access to greater Internet bandwidth than individual home users and connections, he adds – a sign the bots may be targeting businesses.