- One of my favorite foldables brings the flip phone back in the best way (and it's $200 off)
- I opened up a cheap 600W charger to test its build, and found 'goo' inside
- How to negotiate like a pro: 4 secrets to success
- One of the cheapest Android tablets I've ever tested replaced my iPad with no sweat
- I use this cheap Android tablet more than my iPad Pro - and don't regret it
New Mirai Botnet Exploits Zero-Days in Routers and Smart Devices
Security researchers have uncovered a new Mirai-based botnet that uses zero-day exploits for industrial routers and smart home devices to spread.
The offensively named “gayfemboy” botnet was first discovered by Chinese research outfit Qi’anxin XLab back in February 2024. Yet while its early iterations were unremarkable versions of Mirai, its developers have since ramped up their efforts, incorporating n-day and zero-day vulnerability exploitation to help it expand.
These included a zero-day bug in Four-Faith industrial routers (CVE-2024-12856) and previously unseen vulnerabilities in Neterbit routers and Vimar smart home devices, which have yet to be assigned CVEs.
Overall, the botnet uses more than 20 vulnerabilities and weak Telnet passwords to spread, according to XLab. The firm claimed to have observed around 15,000 active IPs located mainly in China, Russia, the US, Iran and Turkey.
Read more on Mirai botnets: New Mirai Variant Campaigns are Targeting IoT Devices
The botnet has been launching DDoS attacks intermittently since February 2024, with activity at its peak to date in October and November last year. Hundreds of targets from various sectors are apparently attacked every day – mainly in China, the US, Germany, the UK and Singapore.
In fact, the botnet herders turned the tool on XLab, after it registered some command-and-control (C2) domains names in order to conduct closer analysis.
“We resolved the registered domain name to our cloud vendor’s VPS. Ater discovering this, the owner began to regularly launch DDoS attacks on our registered domain name, with each attack lasting 10 to 30 seconds,” XLab said.
“After the cloud vendor discovered that our VPS was attacked, it would immediately black hole our VPS traffic for more than 24 hours, which would cause our VPS to be unable to provide services and be inaccessible (our VPS was killed by the cloud vendor before it was killed by [the botnet], as this is the cloud vendor’s service policy). Once the VPS service was restored, it attacked again.”
As the researchers did not have any DDoS mitigation service protecting them, they were ultimately forced to stop resolving the C2 domain name.
