A variant of the Mirai botnet called Beastmode has been observed to exploit recently discovered vulnerabilities.
The Mirai botnet mainly consists of IoT and embedded devices. In 2016, Mirai made national headlines when it used connected devices to overwhelm several high-profile targets with record-setting Distributed Denial-of-Service (DDoS) attacks.
Mirai’s original creator was arrested in the fall of 2018, but variants continue to emerge that take advantage of new vulnerabilities.
Fortinet security researchers observed the Beastmode variant and found that it has aggressively updated its “arsenal of exploits”. The Fortinet researchers saw that Beastmode added five new exploits within a month.
Three of the exploits use vulnerabilities discovered between February and March 2022 to target different models of TOTOLINK routers:
- CVE-2022-26210 targets TOTOLINK A800R, A810R, A830R, A950RG, A3000RU and A3100R.
- CVE-2022-26186 targets TOTOLINK N600R and A7100RU.
- CVE-2022-25075/25076/25077/25078/25079/25080/25081/25082/25083/25084 are a family of similar vulnerabilities targeting TOTOLINK A810R, A830R, A860R, A950RG, A3100R, A3600R, T6 and T10 routers .
Fortinet noted how a typo in a URL used for the third family of vulnerabilities was patched in samples collected three days after they were first discovered on February 20, 2022, “suggesting active development and operation of this campaign .”
A number of other connected devices have been targeted by the Beastmode variant:
- TP-Link Tapo C200 IP camera.
- D-Link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L and DIR-836L (All discontinued and updated firmware is not available.)
- Huawei HG532 routers.
- NUUO NVRmini2, NVRsolo and Crystal devices.
- NETGEAR ReadyNAS surveillance products.
“Threat actors, such as those behind the Beastmode campaign, continue to rapidly incorporate newly published exploit code to infect unpatched devices using the Mirai malware,” the Fortinet researchers wrote.
“By continuously monitoring the evolving threat landscape, FortiGuard Labs researchers are identifying new vulnerabilities that are being exploited by Mirai variants and malware targeting IoT devices to raise awareness of such threats and to better secure our customers’ networks.”
(Photo by Basil James on Unsplash)
Want to learn more about cybersecurity from industry leaders? Watch Cyber Security & Cloud Expo. The next events in the series will be held in Santa Clara on May 11-12, 2022, Amsterdam on September 20-21, 2022 and London on December 1-2, 2022.
Discover other upcoming enterprise technology events and webinars powered by TechForge here.