Mirai variant Echobot has 71 unique exploits, 13 previously unexploited


Echobot malware has resurfaced with an increased number of vulnerabilities it can exploit in devices.

According to a blog post by researchers at Palo Alto Networks, this Mirai variant stands out for the number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploited in the wild until now.

These range from extremely old CVEs from as long back as 2003, to recent vulnerabilities made public as recently as early December 2019. 

"Based on this seemingly odd choice, one could risk a guess that the attackers could potentially be aiming for the sweet spots of IoT vulnerabilities, targeting either legacy devices that are still in use but probably too old to update due to compatibility issues and newer vulnerabilities that are too recent for owners to have patched," said researchers.

Researchers added that the newly incorporated exploits target a range of devices from the usually expected routers, firewalls, IP cameras and server management utilities, to more rarely seen targets like a PLC, an online payment system and even a yacht control web application.

This latest version first appeared in late October and again in early December, switching payload IPs and finally adding two more exploits that weren’t in the samples from October.

Researchers said: "We are unable to speculate at this point in time on the overall effectiveness of their approach – be it the use of a large number of exploits, or the choice of the exploits themselves."

Patrice Puichaud, senior director of the SEs, EMEA and APAC at SentinelOne, told SC Media UK that due to their ability to coordinate attacks at massive scale, as well as deliver diverse payloads and infect other machines, botnets are a significant threat to individuals, enterprise and government organisations. 

"With botnets now targeting the increasing number of IoT devices flooding both public and private networks, it is essential to ensure that you have EDR protection on endpoints and full visibility into every device on your network," he said.

Javvad Malik, security awareness advocate at KnowBe4, told SC Media UK that going after both legacy and new systems is a sly strategy. Newer devices may have additional functionality which can be exploited. 

"While legacy devices are probably not possible to be updated, or may even have been left unmanaged, so any takeover of these legacy systems will let attackers enjoy access for a lot longer," he said.

"Many IoT devices are woefully inadequate when it comes to security, therefore organisations should always look to put in place their own controls such as segmenting them from the main network. Organisations should also thoroughly inspect IoT devices before implementing them into the organisation. Ensuring that they can be patched in the event of a vulnerability being known, and each device is unique, without a standard password that would allow anyone access."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews