In recent months, a sophisticated cyber campaign has emerged, targeting enterprise routers to gain unauthorized access to corporate networks. Threat actors are exploiting previously unknown vulnerabilities in these devices, enabling them to establish persistent footholds within critical sectors such as financial services, healthcare, and government institutions.
Scope and Impact of the Attacks
Security researchers have observed a significant increase in attacks focusing on network infrastructure devices, particularly enterprise-grade routers. These attacks have compromised networks in over a dozen countries, with Spain, China, and the United Kingdom experiencing the highest concentration of breaches. The attackers’ primary objective appears to be establishing long-term access to these networks, facilitating data exfiltration, ransomware deployment, and, in some cases, complete network control.
Exploitation Techniques
The attack methodology typically begins with the exploitation of unpatched firmware vulnerabilities in widely used router models. By bypassing authentication mechanisms, attackers gain initial access and deploy custom malware that establishes command-and-control capabilities. Notably, these malicious actors have developed techniques to maintain persistence even through firmware updates, complicating remediation efforts for security teams.
Specific Vulnerabilities Targeted
Several critical vulnerabilities have been identified as focal points for these attacks:
– CVE-2024-41473: A command injection vulnerability in Tenda FH1201 routers, allowing attackers to execute arbitrary commands and gain unauthorized control.
– CVE-2024-12987: A command injection flaw in DrayTek Vigor2960 and Vigor300B routers, enabling remote execution of OS commands without authentication.
– CVE-2024-9916: An OS command injection vulnerability in HuangDou UTCMS V9 software, permitting remote attackers to execute arbitrary commands without user interaction.
– CVE-2024-9644: An authentication bypass vulnerability in Four-Faith F3x36 routers, allowing unauthorized access to critical router settings.
– CVE-2024-2353, CVE-2024-24328, CVE-2024-24329: Stack-based buffer overflow vulnerabilities in Totolink routers, enabling remote code execution with elevated privileges.
These vulnerabilities have been actively exploited by botnets such as Mirai, which has evolved to incorporate advanced features like brute-forcing Telnet credentials, utilizing custom exploits, and executing high-intensity Distributed Denial-of-Service (DDoS) attacks exceeding 100 Gbps. The botnet’s primary goal is financial gain through DDoS-for-hire services, operating with approximately 15,000 active nodes daily and targeting entities in countries including China, Russia, the United States, Turkey, and Iran.
Mitigation Measures
To protect against these attacks, cybersecurity experts recommend the following steps:
– Firmware Updates: Ensure all routers and IoT devices are updated with the latest firmware from vendors.
– Disable Remote Management: Turn off remote management features unless absolutely necessary.
– Strong Passwords: Use strong passwords with a mix of uppercase/lowercase letters, numbers, and symbols.
– Network Scanning and Segmentation: Regularly scan networks for vulnerable devices and implement segmentation to isolate critical systems.
The resurgence of Mirai underscores the persistent threat posed by IoT botnets exploiting unpatched vulnerabilities. Organizations must prioritize threat intelligence sharing and adopt robust security frameworks to mitigate risks associated with evolving malware campaigns like Mirai.
