New Mirai Botnet Variant Targets Vulnerable Mitel Devices A novel variant of the Mirai botnet, identified as Aquabot, has been detected exploiting weaknesses in Mitel SIP phones to facilitate distributed denial-of-service (DDoS) attacks as a service. This development, highlighted by the Akamai Security Intelligence and Response Team (SIRT) on January 29, represents the latest tactic used by cybercriminals to capitalize on device vulnerabilities.

Discovery and Exploit Details

Akamai's SIRT discovered Aquabot actively targeting a specific vulnerability within Mitel devices, labeled CVE-2024-41710. This vulnerability involves a command-injection flaw that compromises input sanitization, thereby granting potential root access. Researchers Kyle Lefton and Larry Cashdollar have detailed these findings, emphasizing the critical impact on corporate environments utilizing the affected Mitel models.

Evolution of Aquabot Variants

Aquabot emerges as the third iteration of its line, evolving from earlier versions to improve DDoS attack capabilities. First uncovered in November 2023 by Antiy Labs, earlier versions focused on concealment methods, such as preventing device shutdown. Version three distinguishes itself through new features, including a "report_kill" function that interacts with its command-and-control server when an attack is intercepted, although no counter-actions from the server have been observed yet.

Mitel Exploitation in Action

In early January, Akamai SIRT identified attempts to exploit CVE-2024-41710 leveraging a payload nearly identical to a GitHub proof-of-concept shared by Kyle Burns of Packetlabs. Affected devices include the Mitel 6869i SIP phone, where input sanitization failures are exploited via crafted HTTP POST requests. These exploits aim to execute a Mirai-linked shell script on targeted systems.

DDoS as a Service and Implications

The cybercriminals responsible for this Aquabot variant have marketed it as a platform for DDoS as a service across channels like Telegram, using deceptive names such as Cursinq Firewall and The Eye Botnet. Although the service is positioned as a test for DDoS mitigation, investigation reveals active malware distribution from related domains.

Insights on Mirai Botnets

The prominence of Mirai-based botnets in global DDoS scenarios remains significant due to their targeting of IoT devices. These devices often lack robust security, making them vulnerable to exploitation. With ease of modification and widespread impact, Mirai derivatives continue to be formidable tools for cyber attackers.

Recommendations for Mitigation

Security experts recommend steps to secure IoT devices, including changing default credentials and continuous monitoring for rogue systems. Akamai SIRT provides detailed indicators of compromise (IoCs) along with Snort and Yara rules in their analysis to aid cybersecurity efforts. By taking proactive measures to identify and secure vulnerable devices, organizations can better protect themselves against the pervasive threat of Mirai variants and their associated DDoS attacks.

The link has been copied!