A variant of the Mirai botnet called Beastmode has been observed exploiting recently-discovered vulnerabilities.
The Mirai botnet is composed primarily of IoT and embedded devices. In 2016, Mirai made national headlines when it used exploited connected devices to overwhelm several high-profile targets with record-setting Distributed Denial-of-Service (DDoS) attacks.
Mirai’s original creator was arrested in the fall of 2018 but variants have continued to emerge which take advantage of new vulnerabilities.
Security researchers from Fortinet have been observing the Beastmode variant and found that it’s been aggressively updating its “arsenal of exploits”. Fortinet’s researchers observed Beastmode adding five new exploits within a month.
Three of the exploits use vulnerabilities discovered between February and March 2022 to target various models of TOTOLINK routers:
- CVE-2022-26210 targets TOTOLINK A800R, A810R, A830R, A950RG, A3000RU, and A3100R.
- CVE-2022-26186 targets TOTOLINK N600R and A7100RU.
- CVE-2022-25075/25076/25077/25078/25079/25080/25081/25082/25083/25084 are a family of similar vulnerabilities targeting TOTOLINK A810R, A830R, A860R, A950RG, A3100R, A3600R, T6, and T10 routers.
Fortinet noted how a typo in a URL used for the third family of vulnerabilities was fixed in samples collected three days after it was initially caught on 20 February 2022, “suggesting active development and operation of this campaign.”
A number of other connected devices are targeted by the Beastmode variant:
- TP-Link Tapo C200 IP camera.
- D-Link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L (all discontinued and updated firmware is not available.)
- Huawei HG532 routers.
- NUUO NVRmini2, NVRsolo, and Crystal devices.
- NETGEAR ReadyNAS Surveillance products.
“Threat actors, such as those behind the Beastmode campaign, continue to rapidly incorporate newly published exploit code to infect unpatched devices using the Mirai malware,” wrote Fortinet’s researchers.
“By continuously monitoring the evolving threat landscape, FortiGuard Labs researchers identify new vulnerabilities exploited by Mirai variants and malware targeting IoT devices to bring greater awareness to such threats and better secure our customers’ networks.”
Want to learn more about cybersecurity from industry leaders? Check out Cyber Security & Cloud Expo. The next events in the series will be held in Santa Clara on 11-12 May 2022, Amsterdam on 20-21 September 2022, and London on 1-2 December 2022.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.