A variant of the Mirai botnet, known as IZ1H9, has been discovered exploiting four distinct vulnerabilities in popular Linux-based servers and Internet of Things (IoT) devices. The botnet is being used to conduct network-based attacks, including distributed denial of service (DDoS) attacks. The vulnerabilities include two command injection flaws — CVE-2023-27076, affecting Tenda G103 devices, and CVE-2023-26801, impacting LB-Link devices — and two remote code execution (RCE) vulnerabilities, CVE-2023-26802, targeting DCN DCBI-Netlog-LAB, and another vulnerability without a CVE that affects Zyxel devices. Although the primary focus of the IZ1H9 variant appears to be DDoS attacks, the potential impact of the infection could be more severe, as the exploits can ultimately lead to RCE.
Researchers from Palo Alto Networks' Unit 42 observed the IZ1H9 variant in action during an attack on April 10. They believe that the same threat actor or group has been involved in multiple attacks since November 2021, with the malware existing in some form since 2018. The attribution to the same actor for multiple recent attacks is supported by several factors, including the nearly identical malware shell script downloaders used in the incidents. Additionally, the botnet samples discovered from the attacks share a XOR decryption key and the same infrastructure.
In the April 10 attack, researchers observed abnormal traffic from their threat-hunting system as attackers attempted to download and execute a shell script downloader lb.sh from IP 163.123.143[.]126. If executed, the shell script downloader would first delete logs to cover its tracks, then deploy and execute various bot clients to accommodate different Linux architectures. Finally, the shell script downloader would modify the device's iptable rules to block network connections from several ports, including SSH, telnet, and HTTP, preventing the victim from remotely connecting and recovering the compromised device.
The IZ1H9 variant first checks the network portion of the infected device's IP address to avoid execution for a list of IP blocks, including government networks, internet providers, and large tech companies. Stephen Gates, principal security subject matter expert at security firm Horizon3.ai, finds this behavior indicative of a threat group interested in longevity. Gates states, "This suggests that the botmasters want to avoid these networks so that they can continue to operate long term and stay under the radar of those who might focus on stopping their activities."
To defend against Mirai variants, researchers recommend updating vulnerable devices with the latest software versions and applying any available patches when possible. Organizations can also protect their networks with advanced firewall and threat protection that leverage machine learning to detect vulnerability exploits in real time, as well as advanced URL filtering and DNS security to block command-and-control domains and malware-hosting URLs. Furthermore, blocking ports 80 (HTTP), 22 (SSH), and 23 (TELNET) on public-facing devices should be a basic measure to mitigate this type of attack. Gates notes that IoT device manufacturers often leave these ports open in devices right off the assembly line, which he calls "utter negligence." He believes there should be an international governing body to hold IoT manufacturers responsible for their devices becoming botnet infected and used to attack others, stating, "It appears that some sort of penalty is the only way to get manufacturers to shore up security on the devices they make and sell to others."