Patch Now: New Mirai, Gafgyt Variants Target 16 Flaws Via Multi-Exploits

September 12, 2018
Researchers reported that new variations of Internet of Things (IoT) botnets Mirai (Detection: Backdoor.Linux.MIRAI.AB and Gafgyt (Detection: Backdoor.Linux.GAFGYT.AA) are targeting known vulnerabilities in Apache Struts and SonicWall. Samples of the new Mirai variant target 15 vulnerabilities in Apache Struts with multiple exploits, including the flaw that caused the 2017 Equifax data breach. Meanwhile, the new Gafgyt variant affects a recently disclosed security vulnerability of unsupported versions of Global Management System (GMS) 8.1 and earlier.

[Read: The Equifax Breach: What to do now and what to watch out for]

One of the targets of the new Mirai variant is CVE-2017-5638, a known remote code execution (RCE) vulnerability in Apache Struts that attackers exploited with Object Graph Navigation Language (OGNL). The remaining 15 vulnerabilities include RCE flaws and an OS command injection security glitch in enterprise-used routers, NVRs, CCTVs and DVRs. The Gafgyt samples exploit CVE-2018-9866, a flaw found in unsupported versions caused by insufficient sanitization of the remote procedure call (XML-RPC).

 [Read: Critical Remote Code Execution vulnerability (CVE-2018-11776) found in Apache Struts]

Researchers uncovered that the Mirai samples were recently moved to a domain with an IP address also hosting the new variants of Gafgyt. The discovery is significant as these are the first recorded Mirai variants targeting Apache Struts. Additionally, these activities may serve as a warning that the incorporation of these multi-exploits for IoT and Linux botnets could indicate that the attackers are moving from consumer devices to enterprise targets with outdated versions, since organizations use the open source application framework to develop Java EE web applications. Left unchecked and unpatched, attackers could use these devices in distributed denial of service (DDoS) campaigns.

[Read: Open ADB ports being exploited to spread possible Satori variant in Android devices]

Patches released for earlier vulnerabilities should be updated as soon as possible. Additionally, make sure that your home network security is updated, as a compromised home device can also expose enterprise assets to risks. Here are some suggestions to improve your digital security hygiene:

  • Update your software and firmware to prevent vulnerability exploits.
  • Change your devices' default security credentials to prevent unauthorized access.
  • Enable the routers’ built-in firewall.
  • Download and use software and applications from legitimate app stores and vendors, especially if your IoT devices connect to mobile devices.

Trend Micro Solutions

The Trend Micro™ Deep Security™ solution provides virtual patching that protects gateways, servers and endpoints from threats that abuse vulnerabilities in critical applications such as Apache Struts. The Trend Micro™ TippingPoint® system provides virtual patching and extensive zero-day protection against network-exploitable vulnerabilities via Digital Vaccine™ filters. 

The Trend Micro Smart Home Network™ has protected customers from these threats since 2017 via these rules:

1133528 WEB Apache Struts 2 Remote Code Execution -1.1 (CVE-2017-5638)
1133529 WEB Apache Struts 2 Remote Code Execution -1.2 (CVE-2017-5638)
1133530 WEB Apache Struts 2 Remote Code Execution -2.1 (CVE-2017-5638)
1133531 WEB Apache Struts 2 Remote Code Execution -2.2 (CVE-2017-5638)
1133532 WEB Apache Struts 2 Remote Code Execution -2.3 (CVE-2017-5638)

Trend Micro™ Deep Discovery™ protects customers from this threat via these Deep Discovery Inspector (DDI) rules:

2623 - Remote Code Execution - HTTP (Request) - Variant 2
2745 - CVE-2018-9866 SonicWall XML RPC Remote Code Execution  Exploit  - HTTP (Request)


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.