The activity of the IoT botnet Mirai again increased after the publication of the PoC exploit exploiting a vulnerability in the outdated models of the ZyXEL PK5001Z routers. This was reported by security researchers from the company Qihoo 360 Netlab.
According to the report of the researchers, the exploit code was published on October 31, 2017, but the first cases of its use were recorded only on November 22.
Vulnerability CVE-2016-10401 is a hidden super-user password (zyad5001) that is present on vulnerable devices. Exploiting this vulnerability, an attacker can get root privileges on the router. In other cases, this password is useless, because it can not be used for authorization on the device.
However, the attackers found that there are a large number of ZyXEL devices that use admin / CentryL1nk and admin / QwestM0dem as their default Telnet credentials.
The exploit automates the remote authorization process on the ZyXEL device using one of the above passwords, and then uses the superuser password to increase privileges on the device.
The operators of Mirai and its analogs took the exploit shortly after its publication. According to experts, this is due to the fact that botnets of the Mirai type are created by scanning the Internet for devices with open Telnet ports and using default credentials for authorization on the device and installing malware.
Over the past few days, researchers have documented an uncharacteristic increase in the number of attempts to scan ports 23 and 2323, which are used for Telnet authentication.Attackers use PoC exploits to authenticate to vulnerable devices and infect them with malicious Mirai software.
(Cyberops: India’s best institute/company for Cyber Security Services)
As experts note, most of the infected devices are in Argentina, in particular in the network of the Argentine telecommunications operator Telefonica de Argentina. In total, about 100,000 IP addresses were found that search for vulnerable devices. Malicious software Mirai does not have a presence retention mechanism and is automatically deleted when the router reboots.For this reason, the sizes of Mirai botnets vary greatly, and their operators must constantly scan the Internet for new vulnerable devices, experts explained.