Unit 42 researchers observed a new Mirai variant targeting IoT and network security devices. They discovered attacks leveraging several vulnerabilities, including:
- VisualDoor (a SonicWall SSL-VPN exploit).
- CVE-2020-25506 (a D-Link DNS-320 firewall exploit).
- CVE-2020-26919 (a Netgear ProSAFE Plus exploit).
- Possibly CVE-2019-19356 (a Netis WF2419 wireless router exploit).
- Three other IoT vulnerabilities yet to be identified.
The attacks are still ongoing. Upon successful exploitation, the attackers try to download a malicious shell script, which contains further infection behaviours such as downloading and executing Mirai variants and brute-forcers.
Vulnerabilities Being Exploited
Upon successful exploitation, the wget utility is invoked to download a shell script from the malware infrastructure. The shell script then downloads several Mirai binaries compiled for different architectures and executes these downloaded binaries one by one.
- VisualDoor: SonicWall SSL-VPN Remote Command Injection Vulnerability
The exploit of SonicWall SSL-VPN targets an old version of Bash, which is vulnerable to ShellShock. An attacker can send a crafted Common Gateway Interface (CGI) request to a particular shell script leading to unauthenticated remote code execution (RCE) vulnerability.
- CVE-2020-25506: D-Link DNS-320 Firewall Remote Command Execution Vulnerability
The exploit targets a command injection vulnerability in a system_mgr.cgi component. The component does not successfully sanitize the value of the HTTP parameters f_ntp_server, which in turn leads to arbitrary command execution.
- CVE-2021-27561 and CVE-2021-27562: Yealink Device Management Pre-Auth ‘root’ Level Remote Code Execution Vulnerability
The exploit works by chaining a pre-auth Server-Side Request Forgery (SSRF) vulnerability and a command injection vulnerability, making it possible to execute commands as root without authentication, simply by sending an HTTPS request to the remote target.
- CVE-2021-22502: Micro Focus Operation Bridge Reporter (OBR) Remote Code Execution
The exploit works due to the unsanitized use of the “username” and “password” parameters in requests made to the LogonResource API. The vulnerability can be exploited to allow unauthenticated RCE as root on the OBR server.
- CVE-2019-19356: Netis WF2419 Wireless Router Remote Code Execution Vulnerability
The exploit targets an RCE vulnerability in a diagnostic tool utility. An authenticated attacker can perform command execution via multiple vulnerable parameters such as IP address or domain name.
- CVE-2020-26919: Netgear ProSAFE Plus Unauthenticated Remote Code Execution Vulnerability
The exploit targets debug web sections and an attacker can execute system commands through it. This is due to the lack of proper checks on access controls leading to RCE with administrator privileges.
- Unidentified vulnerability (lang parameter command injection)
The exploit of an unidentified vulnerability targets a command injection vulnerability in certain components. The component does not successfully sanitize the value of the HTTP parameter lang, which in turn leads to arbitrary command execution.
- Unidentified vulnerability (key parameter command injection)
The unknown exploit targets the login CGI script, where a key parameter is not properly sanitized leading to command injection.
- Unknown vulnerability (op_type parameter command injection)
This exploit targets the op_type parameter, which is not properly sanitized leading to command injection. It has been observed in the past being used by Moobot, however, the exact target is unknown.
The IoT realm remains an easily accessible target for attackers. Many vulnerabilities are very easy to exploit and could, in some cases, have terrible consequences. Researchers advise customers to apply patches whenever possible.
Palo Alto Networks Next-Generation Firewall customers with Threat Prevention, WildFire and URL Filtering security subscriptions, as well as AutoFocus can detect and block all the exploit attempts from this kind of malware family.