IoT Security at Risk as Mirai Variants Intensify DDoS Attacks
Threat Group: - Unknown
Threat Type: - IoT Botnet Malware
Exploited Vulnerabilities: - Multiple IoT vulnerabilities, including CVE-2024-7029
Malware Used: - V3G4, Corona Mirai
Threat Score: - High (8.8/10) due to its ability to exploit critical vulnerabilities in IoT devices and launch massive DDoS attacks.
Last Threat Observation: - October 2024
Overview
Recent reports indicate increased activity from Mirai botnet variants, specifically V3G4 and Corona Mirai. These strains target Internet of Things (IoT) devices like IP cameras and Linux servers to create large botnets for executing distributed denial-of-service (DDoS) attacks. The Corona Mirai variant exploits a zero-day vulnerability (CVE-2024-7029) in AVTECH security cameras to achieve remote code execution, while V3G4 targets a broader range of IoT devices using multiple vulnerabilities.
Key Details
- Delivery Method: Exploits vulnerabilities in IoT devices, such as outdated firmware in IP cameras.
- Target: IoT devices, particularly IP cameras, Linux servers, and other networked devices.
- Functions:
- Executes remote code for malware payloads.
- Connects to command-and-control (C2) servers.
- Conducts DDoS attacks.
- Utilizes encryption techniques to evade detection.
- Obfuscation: Uses multiple XOR encryption keys for communication.
Attack Vectors
Mirai variants typically scan the internet for vulnerable devices, using default login credentials or known vulnerabilities for entry. The Corona Mirai variant exploits CVE-2024-7029 in AVTECH IP cameras to execute malicious code. The V3G4 variant employs 13 different vulnerabilities to compromise IoT devices, integrating them into the botnet for DDoS operations.
Known Indicators of Compromise (IoCs)
IPv4 Addresses:
- 93.123.39[.]72
- 93.123.39[.]87
- 93.123.39[.]111
- 147.78.103[.]177
- 185.216.70[.]37
- 94.156.8[.]185
- 93.123.39[.]173
- 74.50.81[.]158
- 94.156.71[.]74
- 93.123.85[.]213
- 185.216.70[.]142
- 45.66.231[.]148
- 185.216.70[.]79
SHA256 Hashes:
15a1d52c529d314bb2b5fa8b8bd6c6a496609a283dd0e78e595c929e720d1b5b("r")c0ae1eb249705f61d45ca747c91c02a411557a28792f4064c1d647abb580bc10("x86")b0f7ef937d77061515907c54967a44da3701e0d2af143164bbf44bb4fc6f26af("sh")e82192fbe00bc7205abe786155bbfc0548f5c6ee9819a581e965526674f3cc57("mips")9e9e481bb448438572c2695469c85f773ddcd952025e45bee33bbfce2531c656("r")f4bf61fc335db4f3e7d7d89b534bc1e6ead66a51938e119ea340fe95039935e3("mips")22553be649f76a060ebbdfd410e295b66803e9c49d23369a726be2c5a25733ab("sh")- Additional hashes are available for detailed investigation.
Mitigation and Prevention
- Patch Management: Apply the latest firmware updates for all IoT devices.
- Network Segmentation: Isolate IoT devices from critical networks.
- Credential Hardening: Use unique, strong passwords for all devices.
- Monitoring: Detect unusual outbound traffic patterns and block identified IoCs.
Conclusion
The emergence of new Mirai variants like V3G4 and Corona Mirai highlights the risks associated with IoT devices. Ensuring device security through updates, network segmentation, and monitoring is essential for mitigating the impact of these botnets.