In a significant development reported by Akamai’s Security Intelligence Response Team (SIRT) in late October 2023, heightened malicious activity was detected, indicating the exploitation of zero-day vulnerabilities to disseminate a variant of the Mirai botnet, named ‘InfectedSlurs’. This botnet specifically targets Network Video Recorders (NVRs) and outlet-based wireless LAN routers commonly used in hotels and residences. The attackers exploit these vulnerabilities for remote code execution (RCE), inducting infected devices into a DDoS swarm.
Akamai’s Research Findings:
- Mirai Botnet Expansion: The Mirai botnet is known for orchestrating large-scale DDoS attacks by controlling a wide array of connected IoT devices.
- TCP Port Vulnerabilities: Akamai’s research highlighted probes targeting a rarely used TCP port, pointing towards a zero-day exploit in NVR devices.
- Specific Device Targeting: The botnet focuses on particular NVRs and wireless LAN routers. The NVR manufacturer has acknowledged this zero-day exploit and is expected to release a fix by December 2023. Additional details about the second zero-day affecting wireless LAN routers are also anticipated soon.
Technical Details and Indicators of Compromise (IOCs):
- Malware SHA256SUMs: Various samples of the malware, adapted for different architectures, have been linked to the botnet. The SHA256SUMs of these samples are vital for detecting compromised systems.
- C2 Infrastructure: The botnet leverages distinct C2 domains and IP addresses. Notable domains include ‘iaxtpa[.]parody’ and ‘infectedchink[.]cat’. The infrastructure exhibits synchronized changes and unusual domain resolutions.
This report is based on the findings and research conducted by Akamai’s Security Intelligence Response Team (SIRT). Their proactive detection and analysis of these zero-day vulnerabilities have been instrumental in understanding the expanding threat landscape posed by the Mirai botnet.