X-Industry

MooBot

Posted by Bill Schenkelberg on September 9, 2022 at 10:37am

10807500276?profile=RESIZE_400xPalo Alto Networks’ Unit 42 researchers have reported the emergence of a new Mirai botnet variant called MooBot.  This variant is looking for unpatched D-Link devices to create its army of DDoS (distributed denial of service) bots.  For compromising vulnerable D-Link routers, MooBot uses multiple exploits.

Re-Emergence of Notorious MooBot:  The MooBot botnet was first discovered by Qihoo 360’s Netlab in Sep 2019, whereas the most recent wave of attacks involving MooBot, before the one detected by Palo Alto, was discovered by Fortinet analysts in Dec 2021.  Researchers identified that MooBot targeted a flaw in Hikvision cameras and enlisted many devices into its DDoS army.

In early August, Unit 42 researchers discovered a new attack wave.  This time, MooBot’s targets were unpatched D-Link routers, which it compromised using old and new exploits.

Exploited Vulnerabilities. 

The botnet is exploiting four different vulnerabilities in D-Link devices, including the following:

  • CVE-2022-26258 (CVSS score: 9.8) – D-Link Remote Command Execution Vulnerability
  • CVE-2022-28958 (CVSS score: 9.8) – D-Link Remote Command Execution Vulnerability
  • CVE-2015-2051 (CVSS score: 10.0) – D-Link HNAP SOAPAction Header Command Execution Vulnerability
  • CVE-2018-6530 (CVSS score: 9.8) – D-Link SOAP Interface Remote Code Execution Vulnerability

Source: Palo Alto Networks

Previously it targeted LILIN digital video recorders apart from Hikvision video surveillance devices.

What Happens If Devices are Compromised?  According to Unit 42 researchers, an attacker can gain full control of the compromised devices.  They can use them to perform various attacks, including remote code execution and retrieving MooBot payload from a remote host to parse instructions from a C2 server and launch DDoS attacks.  It can also target specific port numbers and IP addresses for DDoS.

10807500253?profile=RESIZE_710x

Campaign overview (Palo Alto Networks)

D-Link has released security updates to address the flaws. However, there are still countless unpatched devices.  Many are yet to be patched for the last two vulnerabilities (CVE-2022-26258, CVE-2022-28958) discovered in March and May 2022.

The low-attack complexity of the vulnerabilities lets the attacker gain remote code execution and using arbitrary commands they can easily get malware binary.  It is worth noting that the C2 address used in the current attack wave is different from the wave identified by Fortinet.

It is necessary to apply patches as soon as possible and keep your device updated to prevent the MooBot threat.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.     For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com    

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989

Source:  https://www.hackread.com/mirai-botnet-moobot-variant-d-link-devices/

 

Views: 90
Tags: moobot, mirai, d-link, botnet, hikvision, cve
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!