Read Time:2 Minute, 1 Second

A new wave of cyber threats has emerged as a sophisticated Mirai-based botnet has been discovered targeting industrial routers and smart home devices using zero-day exploits. This alarming development, reported by Chainxin X Lab, indicates that the botnet has been actively exploiting previously unknown vulnerabilities since November 2024.

Exploiting vulnerabilities

The botnet’s primary exploit revolves around CVE-2024-12856, a vulnerability identified in Four-Faith industrial routers. Although this flaw was recognized by VulnCheck in late December, evidence suggests that exploitation attempts began as early as December 20. In addition to this zero-day exploit, the botnet employs custom exploits for vulnerabilities in Neterbit routers and Vimar smart home devices.

Botnet profile and activity

First detected in February 2024, this botnet has rapidly expanded its reach, now boasting approximately 15,000 active nodes daily, predominantly located in countries such as China, the United States, Russia, Turkey, and Iran. Its primary objective appears to be executing distributed denial-of-service (DDoS) attacks on various targets for financial gain. Notably, these attacks have surged in intensity during October and November 2024.The malware behind this botnet is capable of exploiting over 20 vulnerabilities across different devices. It targets a wide range of equipment including:

  • Routers: ASUS (via N-day exploits), Huawei (CVE-2017-17215), Neterbit (custom exploit), LB-Link (CVE-2023-26801), and Four-Faith.
  • Cameras: PZT cameras (CVE-2024-8956 and CVE-2024-8957).
  • DVRs: Kguard and Lilin DVRs (via remote code execution exploits).
  • Smart Home Devices: Vimar devices using undisclosed vulnerabilities.
  • 5G/LTE Devices: likely targeted through misconfigurations or weak credentials.

DDoS attack characteristics

The DDoS attacks orchestrated by this botnet are characterized by their short duration—typically lasting between 10 to 30 seconds—but they generate extremely high traffic volumes, often exceeding 100 Gbps. This level of intensity can disrupt even the most robust infrastructures. The global scope of the attacks spans various industries, with significant targets located in China, the United States, Germany, the United Kingdom, and Singapore.

Protective measures for users

To mitigate the risks posed by this evolving threat landscape, users are advised to adopt several best practices:

  • Regularly update devices with the latest security patches from vendors.
  • Disable remote access features if they are not necessary.
  • Change default administrative credentials to enhance security.

As cyber threats continue to evolve, staying informed and proactive is crucial for safeguarding both industrial and personal devices against these sophisticated attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *