Mirai, Gafgyt Botnets Return to Target Infamous Apache Struts, SonicWall Flaws

Researchers have discovered new variants for the infamous Mirai and Gafgyt IoT botnets – now targeting well-known vulnerabilities in Apache Struts and SonicWall.

The new Mirai strain targets the Apache Struts flaw associated with the 2017 Equifax breach, while the Gafgyt variant uses a newly-disclosed glitch impacting older, unsupported versions of SonicWall’s Global Management System, according to researchers with Palo Alto Networks in a Sunday post.

“Here we’re seeing Mirai and Gafgyt variants targeting systems mostly seen in enterprises,” Ruchna Nigam, researcher with Palo Alto Networks, told Threatpost. “Ultimately, future trends are open to speculation, but we know that targeting enterprise links offers bigger bandwidth from a DDoS perspective. For now, it looks that the attackers may be doing a test run on the efficacy of using different vulnerabilities, with the intention of spotting ones that herd the maximum number of bots, affording them greater firepower for a DDoS.”

Mirai Evolves

Researchers said that they discovered samples of a Mirai variant on Sept. 7 incorporating exploits that targeted 16 separate vulnerabilities.

The variant notably exploits the critical arbitrary command-execution flaw in Apache Struts (CVE-2017-5638) that was patched in March 2017. This marks the first known instance of Mirai targeting a vulnerability in Apache Struts, researchers said. Attackers could use specially crafted content-type, content-disposition or content-length HTTP headers to launch an arbitrary command-execution attack.

Though a patch has been available for over a year now, many consumers may not have updated their systems – an issue that led to the already-patched vulnerability being responsible for the Equifax breach last summer that impacted 147 million consumers.

Flaws in Apache Struts have been actively exploited in the wild in other recent campaigns; these include a large cryptomining campaign using the recently disclosed Apache Struts 2 critical remote code-execution (CVE-2018-11776) vulnerability, which was patched in August.

The other 15 vulnerabilities targeted by the newest Mirai strain have been incorporated into the botnet in the past, including a Linksys remote code-execution flaw in Linksys E-Series devices, a Vacron NVR remote code-execution glitch, a remote code-execution issue in D-Link devices, remote code-execution vulnerabilities in CCTVs and DVRs from up to 70 vendors, and a flaw (CVE-2017-6884) in Zyxel routers.

Unit 42 also found that the domain currently hosting these Mirai samples previously resolved to a different IP address during the month of August — an IP address hosting a new version of Gafgyt as well.

Gafgyt Adds to Bag of Tricks

In August, the observed IP was “intermittently hosting samples of Gafgyt that incorporated an exploit against CVE-2018-9866, a SonicWall vulnerability affecting older versions of SonicWall Global Management System (GMS),” according to Nigam.

The targeted vulnerability (CVE-2018-9866) exists in the lack of validation of user-supplied parameters pass to XML-RPC calls on SonicWall Global Management System (GMS) virtual appliances, allowing remote users to execute arbitrary code.

This vulnerability affects older, unsupported GMS versions, including 8.1 and earlier (the flaw is not present in supported versions). A Metasploit module was first published earlier this summer for the flaw; SonicWall then published a public advisory about the critical issue July 17.

SonicWall has been notified of this latest development with Gafgyt, researchers said.

“The vulnerability disclosed in this post is not an announcement of a new vulnerability in SonicWall GMS,” a SonicWall spokesperson told Threatpost. “The issue referenced only affects an older version of the GMS software (version 8.1) which was replaced by version 8.2 in December 2016. Customers and partners running GMS version 8.2 and above are protected against this vulnerability. Customers still using GMS version 8.1 should apply a hotfix supplied by SonicWall in August 2018 and plan for an immediate upgrade, as GMS 8.1 went out of support in February 2018.”

The Gafgyt botnet exploits a range of IoT flaws, including other issues in Huawei, GPON and D-Link devices.

Once in, it then fetches an update from <HTTP_SERVER>, saves it to <FILE_LOCATION>, and installs the update. After that, the botnet launches a Blacknurse DDoS attack, an attack that involves ICMP Type 3 Code 3 packets causing high CPU loads first discovered in November 2016.

“One thing that stood out was the Gafgyt variant having support for the BlackNurse DDoS attack method,” Ruchna told us. “The earliest samples I have seen supporting this DDoS method are from September 2017.”

Continued Development

The discovery of new targeted vuln comes after it was revealed in July that Mirai and Gafgyt were actively launching two IoT/Linux botnet campaigns, exploiting the CVE-2018-10562 and CVE-2018-10561 bugs in Dasan routers.

In October 2016, the world was introduced to Mirai when it overwhelmed servers at global domain provider Dynamic Network Services (Dyn); that led to the blockage of more than 1,200 websites, including Netflix and Twitter. The Mirai source code was then released in Oct. 2016, with Mirai variants continuing to pop up left and right since then.

Most recently, in April, a variant of the Mirai botnet was used to launch a series of DDoS campaigns against financial sector businesses, while in January, researchers identified a variant called Satori (Mirai Okiru).