Like the original Mirai botnet, V3G4 infects IoT devices by exploiting default data login credentials such as usernames and passwords.
The IT security researchers at Palo Alto Networks’ Unit 42 have identified a new variant of the infamous Mirai malware, which was responsible for several large-scale DDoS attacks (Distributed Denial of Service attacks) on Dyn DNS in October 2016.
Dubbed V3G4 by researchers, it is a type of malware that specifically targets Internet of Things (IoT) devices. Like the original Mirai botnet, V3G4 infects IoT devices by exploiting default data login credentials such as usernames and passwords.
In the campaign tracked by Unit 42, one of the prime targets of the V3G4 malware has been exposed IP cameras. The malware uses the exposed servers and devices to create a powerful botnet, which can be used to launch DDoS attacks or perform other malicious activities, such as stealing data or installing additional malware.
According to Unit 42’s report, researchers observed the V3G4 malware leveraging several vulnerabilities to spread its infection from July to December of 2022. These vulnerabilities include the following:
CVE-2019-15107 Webmin Command Injection Vulnerability CVE-2012-4869 FreePBX Elastix Remote Command Execution Vulnerability CVE-2020-8515 DrayTek Vigor Remote Command Execution Vulnerability CVE-2020-15415 DrayTek Vigor Remote Command Injection Vulnerability CVE-2022-36267 Airspan AirSpot Remote Command Execution Vulnerability CVE-2022-26134 Atlassian Confluence Remote Code Execution Vulnerability CVE-2022-4257 C-Data Web Management System Command Injection Vulnerability CVE-2017-5173 Geutebruck IP Cameras Remote Command Execution Vulnerability CVE-2014-9727 FRITZ!Box Webcam Remote Command Execution Vulnerability Gitorious Remote Command Execution Vulnerability Mitel AWC Remote Command Execution Vulnerability Spree Commerce Arbitrary Command Execution Vulnerability FLIR Thermal Camera Remote Command Execution Vulnerability
Researchers also noted that within the botnet client, there is a stop list of process names that it endeavours to eliminate by cross-checking the names of currently running processes on the targeted host. These process names are associated with other botnet malware families and have previously identified different variants of Mirai.
This should not come as a surprise, as there have been several Mirai variants that have surfaced over the years. Some of them included MooBot, Demonbot, OMG, and several others.
The vulnerabilities mentioned above have less attack complexity than previously observed variants, but they maintain a critical security impact that can lead to remote code execution.Palo Alto Networks – Unit 42
To protect against V3G4 and other IoT malware, it is important to follow best practices for securing IoT devices. This includes changing default usernames and passwords, keeping software up to date with the latest security patches, and disabling unnecessary services and protocols. Network segmentation can also help to contain the spread of malware if a device is infected.
- Cloudflare thwarts the largest DDoS attack
- EV Charging Stations at Risk of DoS Attacks
- Tor Network Hit By a Series of DDoS Attacks
- Tiny Mantis DDoS attacks powerful than Mirai
- New malware targeting IoT devices, Android TV