{"id":1722,"date":"2025-01-30T01:04:30","date_gmt":"2025-01-30T01:04:30","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1722"},"modified":"2025-01-30T01:04:30","modified_gmt":"2025-01-30T01:04:30","slug":"new-mirai-botnet-fires-off-ddos-attacks-via-compromised-mitel-phones-notifies-command-control-when-detected","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1722","title":{"rendered":"New Mirai botnet fires off DDoS attacks via compromised Mitel phones, notifies command &amp; control when detected"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>A third variant of the Mirai-based Aquabot malware is apparently taking over Mitel phones to create a remote-controlled botnet that can fire off distributed denial of service (<a href=\"https:\/\/www.csoonline.com\/article\/571981\/ddos-attacks-definition-examples-and-techniques.html\">DDoS<\/a>) attacks.\u00a0<\/p>\n<p>Dubbed Aquabotv3, the malware is actively exploiting a known vulnerability in the devices to\u00a0 access their session initiation protocol (SIP) function, according to Akamai\u2019s <a href=\"https:\/\/www.akamai.com\/blog\/security-research\/2025-january-new-aquabot-mirai-variant-exploiting-mitel-phones\">Security Intelligence and Response Team<\/a>.<\/p>\n<p>Interestingly, this variant has a unique, never-before-seen (at least in <a href=\"https:\/\/www.csoonline.com\/article\/564711\/the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internet.html\">Mirai<\/a>) characteristic: It reports when it\u2019s detected. Akamai\u2019s team says the malware \u201cexhibits a behavior we have never before seen with Mirai\u201d: Its [<em>report_kill<\/em>] function alerts its command-and-control server (C2) when the infected device attempts to terminate the malware. However, the researchers said they had not yet seen a response from the C2.<\/p>\n<p>\u201cDDoS continues to be a pervasive threat to many organizations, and botnets such as Aquabot are key players in this,\u201d Akamai security researchers Kyle Lefton and Larry Cashdollar <a href=\"https:\/\/www.akamai.com\/blog\/security-research\/2025-january-new-aquabot-mirai-variant-exploiting-mitel-phones\">wrote in a blog post<\/a>. \u201cThe ROI of Mirai for an aspiring botnet author is high. Mirai is one of the most successful botnet families in the world, and is also one of the more simple ones to modify.\u201d<\/p>\n<h2 class=\"wp-block-heading\">A unique characteristic \u2014 but that\u2019s not necessarily an advantage<\/h2>\n<p>The Mirai botnet was designed to hijack Internet of Things (IoT) devices to create remote control botnets that can launch high volume DDoS attacks. Aquabot was first discovered in November 2023 by antivirus vendor Antiy Labs.<\/p>\n<p>Aquabotv3 exploits a command injection vulnerability, <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2024-41710\">CVE-2024-41710<\/a>, that specifically targets the Mitel 6800, 6900 and 6900w series phones. First disclosed in mid-July 2024, the vulnerability allows attackers to gain administrative privileges and tamper with input parameters to gain access to sensitive data. This can allow them to execute arbitrary system-specific commands.<\/p>\n<p>\u201cThese IoT machines often lack proper security features, are at the end of service, or are left with default configurations and passwords either from neglect or lack of knowledge about the dangers,\u201d Lefton and Cashdollar wrote.<\/p>\n<p>They noted that, at first glance, the malware appears to be just a \u201cstandard Mirai malware binary with typical DDoS attack functions.\u201d However, when looking closer, they discovered a function that sends a signal when it detects certain security actions in the infected device that could terminate the malware. When any are identified, Aquabotv3 catches them, flags the malware as \u201cdefended\u201d against that signal, then reports back to its C2.<\/p>\n<p>\u201cWe haven\u2019t seen this behavior before in a Mirai variant, so perhaps it may become a new feature,\u201d the researchers wrote.<\/p>\n<p>The true reason for this behavior is not yet confirmed, but it could be a way for the author to monitor the botnet\u2019s health. Another reason could be intentional observation of a device\u2019s defensive activity so attackers can develop \u201cmore stealthy variants.\u201d Or, it could also be used to detect active competing botnets or ethical takedown campaigns.<\/p>\n<p>\u201cUnique, however, is not always the most useful \u2014 this malware was not particularly quiet, which could be to its detriment,\u201d Lefton and Cashdollar emphasized.<\/p>\n<h2 class=\"wp-block-heading\">The ongoing fight against Mirai-based DDoS attacks<\/h2>\n<p>There is an untold number of Mirai variants \u2014 researchers have put them at anywhere from just seven to more than 200 \u2014 but cybersecurity companies are being diligent in rooting them out.<\/p>\n<p>Just a week ago, for instance, Cloudflare said that it had detected the biggest DDoS ever recorded, a 5.6 terabits per second (Tbps) attack launched by a Mirai variant. It was directed at an Asian internet service provider (ISP) and originated from more than 13,000 IoT devices. It lasted only 80 seconds and was quickly identified and mitigated by Cloudflare\u2019s autonomous systems.<\/p>\n<p>\u201cIt required no human intervention, didn\u2019t trigger any alerts, and didn\u2019t cause any performance degradation,\u201d Cloudflare wrote in a <a href=\"https:\/\/blog.cloudflare.com\/ddos-threat-report-for-2024-q4\/#the-largest-ddos-attack-on-record\">blog last week<\/a>.<\/p>\n<p>In <a href=\"https:\/\/www.csoonline.com\/article\/3716843\/new-mirai-botnet-targets-industrial-routers.html\">another case<\/a>, researchers from VulnCheck found that attackers have been using the <a href=\"https:\/\/vulncheck.com\/blog\/four-faith-cve-2024-12856\">Gayfemboy botnet<\/a>, based on Mirai malware, since November 2024 to attack previously unknown vulnerabilities in routers and smart home devices.<\/p>\n<p>Clearly, Mirai isn\u2019t going away anytime soon, if ever, nor are DDoS attacks. In fact, Cloudflare reported a <a href=\"https:\/\/blog.cloudflare.com\/ddos-threat-report-for-2024-q4\/\">53% increase<\/a> in DDoS threats in 2024 over 2023 and a whopping 1,885% surge in attacks exceeding 1 Tbps, dubbed \u201chyper-volumetric\u201d DDoS attacks, between the third and fourth quarters of 2024.<\/p>\n<h2 class=\"wp-block-heading\">Aquabot advertised as DDoS-as-a-service<\/h2>\n<p>Akamai\u2019s researchers found that Aquabotv3\u2019s creators have been advertising the botnet as DDoS as a service through platforms including Telegram, under different names including Cursinq Firewall, The Eye Services, and The Eye Botnet.<\/p>\n<p>They pointed out that threat actors commonly assert that the botnet is not harmful, and only intended for DDoS mitigation testing purposes (or red teaming). \u201cThreat actors will claim it\u2019s just a proof of concept (PoC) or something educational, but a deeper analysis shows that they are in fact advertising DDoS as a service, or the owners are boasting about running their own botnet,\u201d Lefton and Cashdollar wrote.<\/p>\n<p>In any case, the researchers underscored the importance of securing IoT devices that are still configured with default credentials. Because many botnets rely on common password libraries for authentication, it\u2019s important to check login credentials and change them if they are still set to default or are easy to guess. Also, security teams should identify where known IoT devices are, and \u201ccheck for rogue ones, too.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>A third variant of the Mirai-based Aquabot malware is apparently taking over Mitel phones to create a remote-controlled botnet that can fire off distributed denial of service (DDoS) attacks.\u00a0 Dubbed Aquabotv3, the malware is actively exploiting a known vulnerability in the devices to\u00a0 access their session initiation protocol (SIP) function, according to Akamai\u2019s Security Intelligence [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":1708,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1722","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1722"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1722"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1722\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1708"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1722"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1722"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1722"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}