Mirai, Gafgyt IoT Botnets Reach To the Enterprise Sector

Posted by & filed under Security Alerts.

Mirai and Gafgyt, two of the best known IoT botnets, have forked once again, with the new variants peeking at the enterprise sector for creating or replenishing their denial-of-service resources for distributed attacks.

The code for both malware pieces reached the public space a few years back and aspiring cybercriminals began spawning their own revisions. Most of the times there is nothing interesting about the mutations, but the latest alternatives show a predilection for business devices.

A report reveals that the new Mirai and Gafgyt add to their arsenal of exploits code that leverages some old vulnerabilities.

Mirai now targets systems running an unpatched Apache Struts, the version attacked in the Equifax breach last year. CVE-2017-5638 has been fixed for over a year, but unless it is completely eradicated, cybercriminals will have as many reasons to add it to their arsenal of tricks as there are devices that fall for it.

The number of exploits in Mirai’s bag has now reached 16. Most of them are for compromising connected devices like routers, NVRs, cameras, and DVRs.

Gafgyt, also known as Baslite, looks at business equipment as well, by targeting a freshly disclosed vulnerability (CVE-2018-9866, with perfect severity score) in unsupported versions of the Global Management System (GMS) from SonicWall.

New samples have been spotted on August 5, less than a week after the publication of a Metasploit module for this vulnerability.

Devices infected with Gafgyt can scan for other equipment ripe for compromise and deliver the appropriate exploit. Another command present in the malware is for launching a Blacknurse attack – a low bandwidth ICMP attack that impacts CPU loads, forcing a denial-of-service condition.

Same threat actor behind both new variants

If the type of systems targeted by the new Mirai and Gafgy only hints that the same actor is behind them, security researchers found the evidence: both samples were hosted at the same domain.

In August, the domain resolved to a different IP address and hosted intermittently the samples of Gafgyt leveraging the SonicWall bug.

“The incorporation of exploits targeting Apache Struts and SonicWall by these IoT/Linux botnets could be an indication of a larger movement from consumer device targets to enterprise targets,” researchers say.


The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.