Mirai Spawn Echobot Found Using Over 50 Different Exploits

Updated on August 27, 2019 at 8:52 PM PST to add solution rules.

Another Mirai offshoot spotted: A variant of the Echobot botnet was found using over 50 exploits that lead to remote code execution (RCE), arbitrary command execution, and command injection in internet of things (IoT) devices.

Security researcher Carlos Brendel Alcañiz first tweeted about the different exploits the variant uses to propagate. The payloads dropped by the malware show that the operator behind the variant relies on old and known exploits, some of them dating back to 2010. Moreover, the code used is available in multiple public exploit repositories.

The malware dropper was reportedly hosted on an open server, in a file called Richard. What’s particularly noteworthy about the variant is that the exploits it uses do not target specific types of products or devices. BleepingComputer lists the wide range of devices the variant can affect, which includes network attached storage (NAS) devices, routers, security cameras, smart home hubs. The full list of exploits used by this particular Echobot variant is listed here.

[RELATED TREND MICRO RESEARCH: Mirai variant uses a combination of 13 exploits]

The number of payloads may be high, but this should not come as a surprise given that the Mirai malware’s source code was leaked in 2016. Malware authors have since come up with different variants and derivatives for campaigns that compromised many connected devices, usually through default or weak credentials.

Discovered by Palo Alto Networks researchers, Echobot was initially found using 18 exploits, followed by an Akamai report that described it incorporating 26 exploits. Trend Micro also reported about an Echobot variant that targets routers and other IoT devices with multiple exploits. The particular variant takes advantage of multiple publicly available proofs of concepts (PoCs) and Metasploit modules.

[READ: Mirai variant targets routers and other IoT devices with multiple exploits]

Securing connected devices against Mirai and its offshoots

Malware authors have been putting their own spin on the infamous IoT malware since its discovery in 2016. Many botnets have since cropped up to attack devices, and this will likely continue. Based on related malicious activities in the past, hackers usually rely on attacking unpatched devices and those that use default settings and credentials. While device manufacturers play important roles in securing the devices, users and enterprises should also adopt best practices for added protection, such as:

• Regularly updating devices and changing access credentials
• Configuring the router’s settings to deter potential intrusions
• Disabling outdated and unused device components
• Enabling the auto-update feature if the device allows it
• Encrypting the connections that the devices use
• Incorporating security tools that provide additional protection to home networks and devices connected to them
• Using only legitimate applications from trusted sources and stores

[SECURITY 101: Protecting wireless networks against hacking and eavesdropping]

In addition to the aforementioned best practices, users can employ comprehensive protections such as the Trend Micro™ Security and Trend Micro™ Internet Security solutions, which offer effective safeguards against threats to IoT devices through features that can detect malware at the endpoint level. Connected devices can also be protected by security software such as the Trend Micro™ Home Network Security and Trend Micro Smart Home Network™ (SHN) solutions, which can check internet traffic between the router and all connected devices. The Trend Micro™ Deep Discovery™ Inspector network appliance can monitor all ports and network protocols for advanced threats and protect enterprises from targeted attacks.

Users of the Trend Micro Smart Home Network™ solution are protected from particular vulnerabilities and related attacks via these rules:

• 1057889 WEB D-Link Devices UPnP SOAP Command Execution (BID-61005)
• 1057915 WEB Alcatel-Lucent OmniPCX Enterprise Remote Command Execution (CVE-2007-3010)
• 1059405 WEB Fritz Box Webcam Unauthenticated Command Injection (BID-65520)
• 1059614 SIP Yealink VoIP Phone SIP-T38G - Remote Command Execution (CVE-2013-5758)
• 1059700 WEB Rocket Servergraph Admin Center fileRequestor run and runClear Command Executions -1 (CVE-2014-3914)
• 1110349 WEB HP OpenView Network Node Manager Remote Command Execution (CVE-2005-2773)
• 1133310 WEB Netgear R7000 Command Injection -1.1 (CVE-2016-6277)
• 1133322 WEB op5 Monitor command_test.php Command Injection -1
• 1133323 WEB op5 Monitor command_test.php Command Injection -1
• 1133324 WEB op5 Monitor command_test.php Command Injection -1
• 1133419 WEB Netgear R7000 Command Injection -1.2 (CVE-2016-6277)
• 1133643 WEB WePresent WiPG-1000 Command Injection
• 1133855 WEB GoAhead IPCam Remote Code Execution -2.1
• 1134286 WEB Realtek SDK Miniigd UPnP SOAP Command Execution (CVE-2014-8361)
• 1134934 WEB VMware NSX SD-WAN Edge Command Injection -1 (CVE-2018-6961)
• 1134935 WEB VMware NSX SD-WAN Edge Command Injection -2 (CVE-2018-6961)
• 1134936 WEB ASUSTOR ADM 3.1.0.RFQ3 - Remote Command Execution (CVE-2018-11510)
• 1135137 WEB Homematic CCU2 2.29.23 Remote Command Execution (CVE-2018-7297)
• 1135388 WEB NUUO NVRmini upgrade_handle.php Remote Command Execution (CVE-2018-14933)mote Command Execution (CVE-2018-14933)
• 1135454 WEB LG SuperSign EZ CMS 2.5 Remote Code Execution (CVE-2018-17173)
• 1135463 WEB Belkin Wemo UPnP Remote Code Execution
• 1135485 WEB Netgear ReadyNAS Surveillance and NUUO NVRMini Remote Command Execution (CVE-2018-15716)
• 1135486 WEB Linksys WAP54Gv3 Remote Debug Root Shell
• 1135577 WEB Oracle Weblogic 10.3.6.0.0 / 12.1.3.0.0 Remote Code Execution -2 (CVE-2019-2725)
• 1135581 WEB Oracle Weblogic 10.3.6.0.0 / 12.1.3.0.0 Remote Code Execution -2 (CVE-2019-2725)
• 1135582 WEB Oracle Weblogic 10.3.6.0.0 / 12.1.3.0.0 Remote Code Execution -2 (CVE-2019-2725)
• 1135641 WEB ASUS DSL-N12E_C1 1.1.2.3_345 - Remote Command Execution -1.1 (CVE-2018-15887)
• 1135643 WEB ASUS DSL-N12E_C1 1.1.2.3_345 - Remote Command Execution -1.2 (CVE-2018-15887)
• 1135647 ICS Schneider Electric U.Motion Builder 1.3.4 Unauthenticated Command Injection (CVE-2018-7841)
• 1135656 WEB Oracle Weblogic 10.3.6.0.0 / 12.1.3.0.0 Remote Code Execution -2 (CVE-2019-2725)
• 1135657 WEB Oracle Weblogic 10.3.6.0.0 / 12.1.3.0.0 Remote Code Execution -2 (CVE-2019-2725)