Researchers reported that new variations of Internet of Things (IoT) botnets Mirai (Detection: Backdoor.Linux.MIRAI.AB and Gafgyt (Detection: Backdoor.Linux.GAFGYT.AA) are targeting known vulnerabilities in Apache Struts and SonicWall. Samples of the new Mirai variant target 15 vulnerabilities in Apache Struts with multiple exploits, including the flaw that caused the 2017 Equifax data breach. Meanwhile, the new Gafgyt variant affects a recently disclosed security vulnerability of unsupported versions of Global Management System (GMS) 8.1 and earlier.
One of the targets of the new Mirai variant is CVE-2017-5638, a known remote code execution (RCE) vulnerability in Apache Struts that attackers exploited with Object Graph Navigation Language (OGNL). The remaining 15 vulnerabilities include RCE flaws and an OS command injection security glitch in enterprise-used routers, NVRs, CCTVs and DVRs. The Gafgyt samples exploit CVE-2018-9866, a flaw found in unsupported versions caused by insufficient sanitization of the remote procedure call (XML-RPC).
Researchers uncovered that the Mirai samples were recently moved to a domain with an IP address also hosting the new variants of Gafgyt. The discovery is significant as these are the first recorded Mirai variants targeting Apache Struts. Additionally, these activities may serve as a warning that the incorporation of these multi-exploits for IoT and Linux botnets could indicate that the attackers are moving from consumer devices to enterprise targets with outdated versions, since organizations use the open source application framework to develop Java EE web applications. Left unchecked and unpatched, attackers could use these devices in distributed denial of service (DDoS) campaigns.
Patches released for earlier vulnerabilities should be updated as soon as possible. Additionally, make sure that your home network security is updated, as a compromised home device can also expose enterprise assets to risks. Here are some suggestions to improve your digital security hygiene:
Update your software and firmware to prevent vulnerability exploits.
Change your devices' default security credentials to prevent unauthorized access.
Enable the routers’ built-in firewall.
Download and use software and applications from legitimate app stores and vendors, especially if your IoT devices connect to mobile devices.