- Right-sizing artificial intelligence: The overlooked key to more sustainable technology
- This $30 stylus could be the Apple Pencil alternative I've been waiting for
- CompTIA bolsters penetration testing certification
- AI roles take top 2 spots on LinkedIn's list of the 25 fastest-growing jobs in the US
- AI roles take top 2 spots on LinkedIn's 25 fastest-growing jobs in the US
New Mirai Botnet Exploits Zero-Days in Routers and Smart Devices
Security researchers have uncovered a new Mirai-based botnet that uses zero-day exploits for industrial routers and smart home devices to spread.
The offensively named “gayfemboy” botnet was first discovered by Chinese research outfit Qi’anxin XLab back in February 2024. Yet while its early iterations were unremarkable versions of Mirai, its developers have since ramped up their efforts, incorporating n-day and zero-day vulnerability exploitation to help it expand.
These included a zero-day bug in Four-Faith industrial routers (CVE-2024-12856) and previously unseen vulnerabilities in Neterbit routers and Vimar smart home devices, which have yet to be assigned CVEs.
Overall, the botnet uses more than 20 vulnerabilities and weak Telnet passwords to spread, according to XLab. The firm claimed to have observed around 15,000 active IPs located mainly in China, Russia, the US, Iran and Turkey.
Read more on Mirai botnets: New Mirai Variant Campaigns are Targeting IoT Devices
The botnet has been launching DDoS attacks intermittently since February 2024, with activity at its peak to date in October and November last year. Hundreds of targets from various sectors are apparently attacked every day – mainly in China, the US, Germany, the UK and Singapore.
In fact, the botnet herders turned the tool on XLab, after it registered some command-and-control (C2) domains names in order to conduct closer analysis.
“We resolved the registered domain name to our cloud vendor’s VPS. Ater discovering this, the owner began to regularly launch DDoS attacks on our registered domain name, with each attack lasting 10 to 30 seconds,” XLab said.
“After the cloud vendor discovered that our VPS was attacked, it would immediately black hole our VPS traffic for more than 24 hours, which would cause our VPS to be unable to provide services and be inaccessible (our VPS was killed by the cloud vendor before it was killed by [the botnet], as this is the cloud vendor’s service policy). Once the VPS service was restored, it attacked again.”
As the researchers did not have any DDoS mitigation service protecting them, they were ultimately forced to stop resolving the C2 domain name.
