Researchers for the first time have discovered a variant of the Mirai Internet of Things botnet that targets a vulnerability found in unpatched versions of the open-source Apache Struts web app development platform.
That bug is none other than the infamous CVE-2017-5638, a remote code execution flaw that was exploited in the Equifax data breach, according to a 9 September blog post from Palo Alto Networks’ Unit 42 threat research division. And the decision to strategically incorporate this bug could indicate a larger movement from consumer device targets to enterprise targets," reports post author and researcher Ruchna Nigam.
CVE-2017-5638 is actually just one of 16 vulnerabilities that the Mirai variant abuses, including RCE and command injections bugs in a wide variety of networking devices, routers, CCTVs and DVRs.
Unit 42 researchers uncovered samples of the Mirai variant on 7 September, tracing the threat to a pair of malicious domains, one of which was used in August to spread a new version of a second IoT botnet called Gafgyt.
The Gafgyt variant had been updated to include an exploit for CVE-2018-9866, a recently discovered, critical remote code execution bug found in older, unsupported versions of SMB cyber-security firm SonicWall’s Global Management System (builds 8.1 and earlier).
"These samples first surfaced on 5 August, less than a week after the publication of a Metasploit module for this vulnerability," and less than three weeks after SonicWall disclosed the issue in a 17 July security advisory, Nigam said in the post.
Studied samples of the Gafgyt variant also included exploits for devices from Huawei and D-Link, and can launch a "Blacknurse" low-bandwidth Internet Control Message Protocol (ICMP) DDoS attack.