Mirai and Gafgyt, two of the best known IoT botnets, have forked once again, with the new variants peeking at the enterprise sector for creating or replenishing their denial-of-service resources for distributed attacks.
The code for both malware pieces reached the public space a few years back and aspiring cybercriminals began spawning their own revisions. Most of the times there is nothing interesting about the mutations, but the latest alternatives show a predilection for business devices.
A report reveals that the new Mirai and Gafgyt add to their arsenal of exploits code that leverages some old vulnerabilities.
Mirai now targets systems running an unpatched Apache Struts, the version attacked in the Equifax breach last year. CVE-2017-5638 has been fixed for over a year, but unless it is completely eradicated, cybercriminals will have as many reasons to add it to their arsenal of tricks as there are devices that fall for it.
The number of exploits in Mirai’s bag has now reached 16. Most of them are for compromising connected devices like routers, NVRs, cameras, and DVRs.
Gafgyt, also known as Baslite, looks at business equipment as well, by targeting a freshly disclosed vulnerability (CVE-2018-9866, with perfect severity score) in unsupported versions of the Global Management System (GMS) from SonicWall.
New samples have been spotted on August 5, less than a week after the publication of a Metasploit module for this vulnerability.
Devices infected with Gafgyt can scan for other equipment ripe for compromise and deliver the appropriate exploit. Another command present in the malware is for launching a Blacknurse attack – a low bandwidth ICMP attack that impacts CPU loads, forcing a denial-of-service condition.
Same threat actor behind both new variants
If the type of systems targeted by the new Mirai and Gafgy only hints that the same actor is behind them, security researchers found the evidence: both samples were hosted at the same domain.
In August, the domain resolved to a different IP address and hosted intermittently the samples of Gafgyt leveraging the SonicWall bug.
“The incorporation of exploits targeting Apache Struts and SonicWall by these IoT/Linux botnets could be an indication of a larger movement from consumer device targets to enterprise targets,” researchers say.