Mirai Botnet Variant IZ1H9 Expands Exploit Arsenal

October 10, 2023

The IZ1H9, a variant of the notorious Mirai botnet, has broadened its attack capabilities by incorporating 13 new exploits into its toolkit. These exploits aim at a variety of routers, IP cameras, and other IoT devices from manufacturers such as D-Link, TP-Link, and Zyxel. First identified in August 2018, IZ1H9 is among the most active Mirai variants, exploiting unpatched vulnerabilities in IoT devices to co-opt them into distributed denial-of-service (DDoS) attacks.

The botnet variant has been progressively expanding its toolkit, now boasting about 30 exploits for vulnerabilities in devices from D-Link, Geutebruck, Korenix, Netis, Sunhillo, Totolink, TP-Link, Yealink, and Zyxel. The height of exploitation attempts was observed on September 6, with Fortinet reporting thousands of attack attempts.

Among the newly incorporated exploits, four target D-Link vulnerabilities identified as CVE-2015-1187, CVE-2016-20017, CVE-2020-25506, and CVE-2021-45382. These high-severity vulnerabilities allow remote attackers to execute arbitrary code on compromised devices. Eight other exploits target arbitrary command execution vulnerabilities impacting firmware supplied by UDP Technology to Geutebruck and other original equipment manufacturers (OEMs) for their IP cameras.

The arsenal of IZ1H9 also includes an exploit for CVE-2023-23295, a command injection vulnerability in Korenix JetWave routers, one for CVE-2019-19356, a remote code execution (RCE) vulnerability in Netis WF2419 wireless routers, and another for CVE-2021-36380, a critical operating system command injection issue in the Sunhillo SureLine application.

Additionally, IZ1H9 has incorporated exploits for 12 command injection vulnerabilities affecting Totolink routers, a recent command injection vulnerability in TP-Link Archer AX21 routers (CVE-2023-1389), two Yealink Device Management vulnerabilities, and an RCE vulnerability in Zyxel EMG3525 and VMG1312 devices. Fortinet also observed a non-functional payload apparently targeting a Prolink PRC2402M router vulnerability (CVE-2021-35401).

It's important to note that some of the newly incorporated vulnerabilities, such as CVE-2021-36380 and CVE-2023-23295, have no prior reports of exploitation in the wild. IoT devices continue to be a lucrative target for threat actors, with remote code execution attacks posing significant threats to IoT devices and Linux servers. The exposure of vulnerable devices can lead to serious security risks. Despite the availability of patches for these vulnerabilities, the number of exploit triggers remains alarmingly high, often numbering in the thousands, concludes Fortinet.

Latest News

• Patch Tuesday: Critical Code Execution Vulnerabilities Identified in Adobe Commerce, Photoshop
• Critical Vulnerability Detected in Citrix NetScaler Devices Could Expose Sensitive Information
• Record-Breaking DDoS Attacks Exploit New 'HTTP/2 Rapid Reset' Zero-Day Vulnerability
• Industrial Scale Operation Behind Predator Mobile Spyware Revealed
• Large-Scale Credential Theft Campaign Targets Citrix NetScaler Gateways