Lucene search

K
thnThe Hacker NewsTHN:C1081365C69856DB9F99773D1D934E01
HistoryDec 22, 2022 - 9:39 a.m.

Zerobot Botnet Emerges as a Growing Threat with New Exploits and Capabilities

2022-12-2209:39:00
The Hacker News
thehackernews.com
28

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.975 High

EPSS

Percentile

100.0%

Zerobot Botnet

The Zerobot DDoS botnet has received substantial updates that expand on its ability to target more internet-connected devices and scale its network.

Microsoft Threat Intelligence Center (MSTIC) is tracking the ongoing threat under the moniker DEV-1061, its designation for unknown, emerging, or developing activity clusters.

Zerobot, first documented by Fortinet FortiGuard Labs earlier this month, is a Go-based malware that propagates through vulnerabilities in web applications and IoT devices like firewalls, routers, and cameras.

β€œThe most recent distribution of Zerobot includes additional capabilities, such as exploiting vulnerabilities in Apache and Apache Spark (CVE-2021-42013 and CVE-2022-33891 respectively), and new DDoS attack capabilities,” Microsoft researchers said.

Also called ZeroStresser by its operators, the malware is offered as a DDoS-for-hire service to other criminal actors, with the botnet advertised for sale on various social media networks.

Microsoft said that one domain with connections to Zerobot – zerostresser[.]com – was among the 48 domains that were seized by the U.S. Federal Bureau of Investigation (FBI) this month for offering DDoS attack features to paying customers.

The latest version of Zerobot spotted by Microsoft not only targets unpatched and improperly secured devices, but also attempts to brute-force over SSH and Telnet on ports 23 and 2323 for spreading to other hosts.

Zerobot Botnet

The list of newly added known flaws exploited by Zerobot 1.1 is as follows -

  • CVE-2017-17105 (CVSS score: 9.8) - A command injection vulnerability in Zivif PR115-204-P-RS
  • CVE-2019-10655 (CVSS score: 9.8) - An unauthenticated remote code execution vulnerability in Grandstream GAC2500, GXP2200, GVC3202, GXV3275, and GXV3240
  • CVE-2020-25223 (CVSS score: 9.8) - A remote code execution vulnerability in the WebAdmin of Sophos SG UTM
  • CVE-2021-42013 (CVSS score: 9.8) - A remote code execution vulnerability in Apache HTTP Server
  • CVE-2022-31137 (CVSS score: 9.8) - A remote code execution vulnerability in Roxy-WI
  • CVE-2022-33891 (CVSS score: 8.8) - An unauthenticated command injection vulnerability in Apache Spark
  • ZSL-2022-5717 (CVSS score: N/A) - A remote root command injection vulnerability in MiniDVBLinux

Upon successful infection, the attack chain proceeds to download a binary named β€œzero” for a specific CPU architecture that enables it to self-propagate to more susceptible systems exposed online.

UPCOMING WEBINAR

[Shield Against Insider Threats: Master SaaS Security Posture Management

](<https://thn.news/I26t1VFD&gt;)

Worried about insider threats? We’ve got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.

Join Today

Additionally, Zerobot is said to proliferate by scanning and compromising devices with known vulnerabilities that are not included in the malware executable, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers.

Zerobot 1.1 further incorporates seven new DDoS attack methods by making use of protocols such as UDP, ICMP, and TCP, indicating β€œcontinuous evolution and rapid addition of new capabilities.”

β€œThe shift toward malware as a service in the cyber economy has industrialized attacks and has made it easier for attackers to purchase and use malware, establish and maintain access to compromised networks, and utilize ready-made tools to perform their attacks,” the tech giant said.

__

> NOTE: In this blog, Zerobot refers to a botnet that spreads primarily through IoT and web application vulnerabilities. It is not associated with the chatbot ZeroBot.ai.

Found this article interesting? Follow us on Twitter ο‚™ and LinkedIn to read more exclusive content we post.

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.975 High

EPSS

Percentile

100.0%