The infamous Mirai and Gafgyt Internet of Things (IoT) botnets are targeting vulnerabilities in Apache Struts and the SonicWall Global Management System (GMS), Palo Alto Networks has discovered.
The Mirai variant observed in attacks last week packs exploits for 16 vulnerabilities, including one targeting CVE-2017-5638, the Apache Struts vulnerability that led to the Equifax data breach in 2017.
The domain currently hosting the new Mirai samples was resolving to a different IP address in August, and was seen hosting samples of the Gafgyt botnet (aka BASHLITE) that included an exploit for CVE-2018-9866, a flaw in older versions of SonicWall's Global Management System (GMS).
Another interesting characteristic of the new Mirai samples, Palo Alto Networks’ security researchers say, is that they no longer include the brute-force functionality generally used by the infamous IoT malware.
Ever since its source code was posted online in October 2016, Mirai has been continuously evolving, and the switch towards targeting vulnerabilities rather than brute-forcing credentials has been observed in other botnet samples as well.
Gafgyt’s newly acquired exploit is targeting a vulnerability affecting unsupported versions of SonicWall GMS (8.1 and older), the researchers point out. The first sample to target the flaw emerged on August 5, less than a week after an exploit for it was added to Metasploit.
“The incorporation of exploits targeting Apache Struts and SonicWall by these IoT/Linux botnets could be an indication of a larger movement from consumer device targets to enterprise targets,” Palo Alto Networks notes.
“All organizations should ensure they keep not only their systems up-to-date and patched, but also their IoT devices,” the security firm said.
Capable of launching powerful distributed denial of service (DDoS) attacks, both Mirai and Gafgyt have shown a surge in activity over the past several months. Now capable of infecting more than just IoT devices, these botnets pose increasingly higher risks to consumers and businesses alike.
UPDATE. “The vulnerability disclosed in this post is not an announcement of a new vulnerability in SonicWall Global Management System (GMS). The issue referenced only affects an older version of the GMS software (version 8.1) which was replaced by version 8.2 in December 2016. Customers and partners running GMS version 8.2 and above are protected against this vulnerability,” a SonicWall spokesperson told SecurityWeek in an emailed comment.
“Customers still using GMS version 8.1 should apply a hotfix supplied by SonicWall in August 2018 and plan for an immediate upgrade, as GMS 8.1 went out of support in February 2018. SonicWall and its threat research team continuously updates its products to provide industry-leading protection against the latest security threats, and it is therefore crucial that customers are using the latest versions of our products. We recommend that customers with older versions of GMS, which are long out of support, should upgrade immediately,” the spokesperson continued.
Related: Cross-Platform Mirai Variant Leverages Open-Source Project