Mirai Botnet Variant Targets Vulnerable OFBiz ERP Systems

August 2, 2024

Enterprise Resource Planning (ERP) software forms the backbone of many businesses, aiding in tasks such as human resources, accounting, shipping, and manufacturing. These systems can be complex and challenging to maintain due to their high customization level, making patching a difficult task. This complexity often leads to critical vulnerabilities that jeopardize sensitive business data.

The SANS Internet Storm Center has recently reported that the open-source ERP framework OFBiz is being targeted by new variations of the Mirai botnet. OFBiz, a Java-based framework supported by the Apache Foundation, is used for creating ERP applications. Despite being less prevalent than commercial alternatives, OFBiz is relied upon by organizations for managing sensitive business data, making its security crucial.

In May, a critical security update was released for OFBiz, addressing a directory traversal vulnerability that could lead to remote command execution. This vulnerability affected OFBiz versions before 18.12.13. Shortly after the update, details about the vulnerability were made public. Directory traversal vulnerabilities can be exploited to bypass access control rules, potentially granting unauthorized access to sensitive directories.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) recently issued an alert as part of the 'Secure by Design' initiative, focusing on directory traversal. They are currently tracking 55 such vulnerabilities as part of the 'Known Exploited Vulnerabilities' (KEV) catalog. For OFBiz, the directory traversal vulnerability can be triggered simply by inserting a semicolon into a URL.

The SANS Internet Storm Center detected a significant increase in attempts to exploit the OFBiz directory traversal vulnerability (CVE-2024-32213) over the weekend. The exploit attempts originated from two different IP addresses, which were also linked to various attempts to exploit Internet of Things (IoT) devices. These activities are commonly associated with the Mirai botnet.

The attackers used two versions of the exploit. The first used the URL to include the command the exploit was intended to execute, while the second used the body of the request for the command, which is more common for 'POST' requests. The IP addresses involved were also used to distribute a file called 'botx.arm', a filename often associated with Mirai variants.

Despite the vulnerability announcement in May, it took some time for scans to begin exploiting the OFBiz vulnerability. Although the population of vulnerable and exposed systems is small, this has not deterred attackers in the past. They are now at least experimenting with, and potentially adding, the vulnerability to bots like Mirai variants.

Latest News

• StormBamboo APT Group Breaches ISP to Deliver Malware
• Chinese APT41 Group Breaches Taiwan Research Institute for Cyber Espionage
• CISA Issues Warning Over VMware ESXi Bug Exploited in Ransomware Attacks
• Black Basta Ransomware Group Adapts with Custom Tools and Malware
• UK Electoral Commission Breach Tied to Unpatched Exchange Server Vulnerabilities