Updated on August 27, 2019 at 8:52 PM PST to add solution rules.
Another Mirai offshoot spotted: A variant of the Echobot botnet was found using over 50 exploits that lead to remote code execution (RCE), arbitrary command execution, and command injection in internet of things (IoT) devices.
Security researcher Carlos Brendel Alcañiz first tweeted about the different exploits the variant uses to propagate. The payloads dropped by the malware show that the operator behind the variant relies on old and known exploits, some of them dating back to 2010. Moreover, the code used is available in multiple public exploit repositories.
The malware dropper was reportedly hosted on an open server, in a file called Richard. What’s particularly noteworthy about the variant is that the exploits it uses do not target specific types of products or devices. BleepingComputer lists the wide range of devices the variant can affect, which includes network attached storage (NAS) devices, routers, security cameras, smart home hubs. The full list of exploits used by this particular Echobot variant is listed here.
[RELATED TREND MICRO RESEARCH: Mirai variant uses a combination of 13 exploits]
The number of payloads may be high, but this should not come as a surprise given that the Mirai malware’s source code was leaked in 2016. Malware authors have since come up with different variants and derivatives for campaigns that compromised many connected devices, usually through default or weak credentials.
Discovered by Palo Alto Networks researchers, Echobot was initially found using 18 exploits, followed by an Akamai report that described it incorporating 26 exploits. Trend Micro also reported about an Echobot variant that targets routers and other IoT devices with multiple exploits. The particular variant takes advantage of multiple publicly available proofs of concepts (PoCs) and Metasploit modules.
Securing connected devices against Mirai and its offshoots
Malware authors have been putting their own spin on the infamous IoT malware since its discovery in 2016. Many botnets have since cropped up to attack devices, and this will likely continue. Based on related malicious activities in the past, hackers usually rely on attacking unpatched devices and those that use default settings and credentials. While device manufacturers play important roles in securing the devices, users and enterprises should also adopt best practices for added protection, such as:
[SECURITY 101: Protecting wireless networks against hacking and eavesdropping]
In addition to the aforementioned best practices, users can employ comprehensive protections such as the Trend Micro™ Security and Trend Micro™ Internet Security solutions, which offer effective safeguards against threats to IoT devices through features that can detect malware at the endpoint level. Connected devices can also be protected by security software such as the Trend Micro™ Home Network Security and Trend Micro Smart Home Network™ (SHN) solutions, which can check internet traffic between the router and all connected devices. The Trend Micro™ Deep Discovery™ Inspector network appliance can monitor all ports and network protocols for advanced threats and protect enterprises from targeted attacks.
Users of the Trend Micro Smart Home Network™ solution are protected from particular vulnerabilities and related attacks via these rules:
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.