{"id":1461,"date":"2025-01-09T18:27:40","date_gmt":"2025-01-09T18:27:40","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1461"},"modified":"2025-01-09T18:27:40","modified_gmt":"2025-01-09T18:27:40","slug":"new-mirai-botnet-targets-industrial-routers","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1461","title":{"rendered":"New Mirai botnet targets industrial routers"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>According to security analysis, the Gayfemboy botnet, based on the notorious <a href=\"https:\/\/www.csoonline.com\/article\/564711\/the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internet.html\">Mirai\u00a0malware<\/a>, is currently spreading around the world. Researchers from\u00a0<a href=\"https:\/\/blog.xlab.qianxin.com\/gayfemboy\/\">Chainxin X Lab<\/a>\u00a0found that cybercriminals have been using the botnet since November 2024 to attack previously unknown vulnerabilities. The botnet\u2019s preferred targets include Four-Faith and Neterbit routers or smart home devices.<\/p>\n<p>Experts from\u00a0<a href=\"https:\/\/vulncheck.com\/blog\/four-faith-cve-2024-12856\">VulnCheck<\/a>\u00a0reported at the end of December that a vulnerability in Four-Faith industrial routers (CVE-2024-12856) had been exploited in the wild. The attackers exploited the router\u2019s default credentials to\u00a0launch a remote\u00a0<a href=\"https:\/\/owasp.org\/www-community\/attacks\/Command_Injection\">command injection.<\/a><\/p>\n<p>In addition, the\u00a0<a href=\"https:\/\/www.csoonline.com\/article\/563821\/what-is-a-botnet.html\">botnet<\/a>\u00a0was used for targeted attacks on unknown vulnerabilities in Neterbit routers and Vimar smart home devices. According to Chainxin X Lab, Gayfemboy has exploited over 20 vulnerabilities and weak Telnet credentials to access the devices. It includes a brute-force module for insecure Telnet passwords, uses custom UPX packing with unique signatures, and implements\u00a0Mirai-based command structures. This allows the attackers to update clients, scan networks, and carry out <a href=\"https:\/\/www.csoonline.com\/article\/571981\/ddos-attacks-definition-examples-and-techniques.html\">DDoS attacks<\/a>.<\/p>\n<p>According to researchers, the botnet has been attacking hundreds of targets every day since its discovery in February 2024. The number of daily active bot IPs is 15,000, most of which are located in China, the US, Russia, Turkey, and Iran. Targets are spread across the world and affect various industries, with the main targets being located in China, the US, Germany, the UK, and Singapore.<\/p>\n<p>According to Chainxin X Lab, the botnet\u2019s DDoS attacks are short-lived (between 10 and 30 seconds), but are high in intensity, with data rates exceeding 100Gbps and capable of disrupting even robust infrastructures.<\/p>\n<h2 class=\"wp-block-heading\">Vulnerable devices<\/h2>\n<p>According to the analysis, the botnet\u2019s attacks target the following devices:<\/p>\n<p>ASUS routers (via N-day exploits)<\/p>\n<p>Huawei routers (via CVE-2017-17215)<\/p>\n<p>Neterbit router (custom exploit)<\/p>\n<p>LB-Link router (via CVE-2023-26801)<\/p>\n<p>Four-Faith Industrial Routers (via the zero-day now tracked as CVE-2024-12856)<\/p>\n<p>PZT cameras (via CVE-2024-8956 and CVE-2024-8957)<\/p>\n<p>Kguard DVR<\/p>\n<p>Lilin DVR (via remote code execution exploits)<\/p>\n<p>Generic DVRs (using exploits like TVT editBlackAndWhiteList RCE)<\/p>\n<p>Vimar smart home devices (presumably exploiting an unknown vulnerability)<\/p>\n<p>Various 5G\/LTE devices (likely due to misconfigurations or weak credentials)<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>According to security analysis, the Gayfemboy botnet, based on the notorious Mirai\u00a0malware, is currently spreading around the world. Researchers from\u00a0Chainxin X Lab\u00a0found that cybercriminals have been using the botnet since November 2024 to attack previously unknown vulnerabilities. The botnet\u2019s preferred targets include Four-Faith and Neterbit routers or smart home devices. Experts from\u00a0VulnCheck\u00a0reported at the end [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":1462,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1461","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1461"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1461"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1461\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1462"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1461"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1461"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1461"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}