CyberSecurity news

FlagThis - #mirai

CISO2CISO Editor 2@ciso2ciso.com - 39d

Mirai Botnet Launches Massive 5.6 Tbps DDoS Attack - Cloudflare mitigated a record-breaking 5.6 Tbps DDoS attack launched by a Mirai-variant botnet, highlighting the need for robust DDoS mitigation strategies.
Cloudflare successfully mitigated a record-breaking 5.6 Tbps Distributed Denial of Service (DDoS) attack on October 29, 2024. The attack, launched by a Mirai-variant botnet, targeted an internet service provider (ISP) in East Asia. The botnet comprised of 13,000 compromised IoT devices flooding the target with malicious data, which aimed to cripple the ISP’s operations.

The attack lasted only 80 seconds, but Cloudflare's autonomous defence systems promptly identified and mitigated the anomalous traffic without human intervention, intercepting and neutralizing the malicious data at Cloudflare's edge nodes. Each IP address within the botnet generated an average traffic of approximately 4 Gbps. The successful defense highlights the escalating sophistication and scale of DDoS threats, with hyper-volumetric attacks exceeding 1 Tbps dramatically increasing. This incident underscores the importance of robust DDoS mitigation strategies and the need for continuous evolution in network security.

Recommended read:
References :
  • ciso2ciso.com: New Mirai Malware Variant Targets AVTECH Cameras, Huawei Routers – Source: www.infosecurity-magazine.com
  • securityaffairs.com: New Mirai botnet variant Murdoc Botnet targets AVTECH IP cameras and Huawei HG532 routers
  • The Hacker News: Mirai Variant Murdoc Botnet Exploits AVTECH IP Cameras and Huawei Routers
  • Techzine Global: Mirai variant Murdoc_Botnet targets cameras and routers
  • ciso2ciso.com: New Mirai Malware Variant Targets AVTECH Cameras, Huawei Routers – Source: www.infosecurity-magazine.com
  • discuss.privacyguides.net: New botnet network targets Avtech cameras and Hauwei HG532 routers
  • hackread.com: New Mirai Variant Murdoc_Botnet Launches DDoS Attacks via IoT Exploits
  • bsky.app: Interesting research from Qualys here where they found a botnet that’s infected vulnerable AVTECH cameras and Huawei routers.
  • cyberpress.org: New IoT Botnet Launching large-scale DDoS attacks Hijacking IoT Devices
  • gbhackers.com: New IoT Botnet Launching Large-Scale DDoS attacks Hijacking IoT Devices
  • securityonline.info: IoT Botnet Fuels Large-Scale DDoS Attacks Targeting Global Organizations
  • ciso2ciso.com: Mirai Variant Murdoc Botnet Exploits AVTECH IP Cameras and Huawei Routers – Source:thehackernews.com
  • ciso2ciso.com: New Mirai Variant Murdoc_Botnet Launches DDoS Attacks via IoT Exploits
  • : Mirai Variant Murdoc Botnet Exploits AVTECH IP Cameras and Huawei Routers
  • ciso2ciso.com: Mirai Botnet Launches Record 5.6 Tbps DDoS Attack with 13,000+ IoT Devices.
  • ciso2ciso.com: Mirai Botnet Launches Record 5.6 Tbps DDoS Attack with 13,000+ IoT Devices
  • ciso2ciso.com: Details about the mitigation of the DDoS attack.
  • gbhackers.com: Record Breaking 5.6 Tbps DDoS attack Launched by Mirai Botnet
  • ciso2ciso.com: Cloudflare Mitigates Massive 5.6 Tbps Mirai-Variant DDoS Attack – Source:hackread.com
  • gbhackers.com: Record Breaking 5.6 Tbps DDoS attack Launched by Mirai Botnet
  • securityonline.info: Mirai Botnet Unleashes Record-Breaking DDoS Attack, Cloudflare Thwarts Threat
  • hackread.com: Cloudflare mitigated a record-breaking 5.6 Tbps DDoS attack
  • gbhackers.com: Researchers have identified an active malware campaign involving a Mirai botnet variant, dubbed Murdoc, which has been targeting AVTECH cameras and Huawei HG532 routers since at least July 2024.
  • BleepingComputer: The largest distributed denial-of-service (DDoS) attack to date peaked at 5.6 terabits per second and came from a Mirai-based botnet with 13,000 compromised devices.
  • gbhackers.com: Researchers have identified an active malware campaign involving a Mirai botnet variant, dubbed Murdoc, which has been targeting AVTECH cameras and Huawei HG532 routers since at least July 2024.
  • securityonline.info: On October 29, 2024, Cloudflare revealed details of a DDoS attack orchestrated using a Mirai botnet comprising 13,000
  • : Cloudflare Mitigates Massive 5.6 Tbps Mirai-Variant DDoS Attack – Source:hackread.com
  • blog.cloudflare.com: In 2024, Cloudflare's autonomous DDoS defense systems blocked 21.3M DDoS attacks, up 53% YoY, and 420 DDoS attacks in Q4 2024 exceeded 1 Tbps, up 1,885% QoQ (The Cloudflare Blog)
  • : Cloudflare thwarts a massive 5.6 Tbps Mirai-variant DDoS attack targeting one of its customers
Zeljka Zorz@Help Net Security - 29d

Zyxel Won't Patch Exploited Zero-Days in Legacy Devices - Zyxel will not patch actively exploited zero-day vulnerabilities (CVE-2024-40890 and CVE-2024-40891) in legacy DSL CPE products, which allow attackers to execute arbitrary commands, recommending users replace end-of-life devices.
Zyxel has announced that it will not be releasing patches for two actively exploited zero-day vulnerabilities, identified as CVE-2024-40890 and CVE-2024-40891. These vulnerabilities affect multiple legacy DSL CPE products, including models VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500. The vulnerabilities enable attackers to execute arbitrary commands on the affected devices. One of the vulnerabilities, CVE-2024-40891, is being actively exploited in the wild by a Mirai botnet variant.

GreyNoise warned that over 1,500 devices are affected by the command injection bug. CVE-2024-40890 is a post-authentication command injection vulnerability in the CGI program which allows an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request. CVE-2024-40891 is a post-authentication command injection vulnerability in the management commands which could allow an authenticated attacker to execute OS commands on an affected device via Telnet. Zyxel advises users to replace the end-of-life products with newer-generation devices for optimal protection.

Recommended read:
References :
  • gbhackers.com: Zyxel CPE Zero-Day (CVE-2024-40891) Exploited in the Wild
  • The Hacker News: Zyxel CPE Devices Face Active Exploitation Due to Unpatched CVE-2024-40891 Vulnerability
  • Help Net Security: Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891)
  • gbhackers.com: Zyxel CPE Zero-Day (CVE-2024-40891) Exploited in the Wild
  • thedefendopsdiaries.com: Exploiting the Unpatched: A Deep Dive into Zyxel CPE Vulnerability | The DefendOps Diaries
  • www.helpnetsecurity.com: Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891)
  • ciso2ciso.com: Unpatched Zyxel CPE Zero-Day Pummeled by Cyberattackers – Source: www.darkreading.com
  • BleepingComputer: Hackers are exploiting a critical command injection vulnerability in Zyxel CPE Series devices that is currently tracked as CVE-2024-40891 and remains unpatched since last July.
  • securityonline.info: Zero-Day Alert: Mirai Botnet Exploiting Unpatched Zyxel CPE Vulnerability (CVE-2024-40891)
  • securityonline.info: Zero-Day Alert: Mirai Botnet Exploiting Unpatched Zyxel CPE Vulnerability (CVE-2024-40891)
  • ciso2ciso.com: Unpatched Zyxel CPE Zero-Day Pummeled by Cyberattackers – Source: www.darkreading.com
  • www.bleepingcomputer.com: Hackers exploit critical unpatched flaw in Zyxel CPE devices
  • : Zyxel's security advisory confirms the existence of , , and affecting end-of-life DSL CPE products.
  • Vulnerability-Lookup: Command injection and insecure default credentials vulnerabilities n certain legacy DSL CPE from Zyxel, has been published on Vulnerability-Lookup:
  • SecurityWeek: Zyxel Issues ‘No Patch’ Warning for Exploited Zero-Days
  • www.securityweek.com: Zyxel Issues ‘No Patch’ Warning for Exploited Zero-Days
  • vulnerability.circl.lu: Command injection and insecure default credentials vulnerabilities n certain legacy DSL CPE from Zyxel, has been published on Vulnerability-Lookup:
  • The GreyNoise Blog: Active exploitation of zero-day Zyxel CPE vulnerability (CVE-2024-40891)
  • www.zyxel.com: Zyxel security advisory confirms the existence of command injection and insecure default credentials vulnerabilities affecting end-of-life DSL CPE products.
  • Dataconomy: If you own these Zyxel devices uninstall them now: No fix is coming
@osint10x.com - 64d

D-Link Routers Targeted by Botnets Globally - Multiple botnets are actively exploiting decade-old vulnerabilities in D-Link routers to conduct DDoS attacks and propagate malware.
References: siliconangle.com , , The Hacker News ...
Cybersecurity experts are warning about a surge in activity from two botnets, FICORA and CAPSAICIN, exploiting old vulnerabilities in D-Link routers. These botnets are leveraging decade-old weaknesses in the Home Network Administration Protocol (HNAP) interface to execute malicious commands, propagate malware, and launch DDoS attacks. FICORA, a Mirai variant, targets devices globally, while CAPSAICIN, a Kaiten variant, primarily targets East Asia. The attacks demonstrate the ongoing risks posed by outdated and unpatched network hardware, with the vulnerabilities used having been known for years.

The FICORA botnet uses a downloader script to deploy malware and brute force credentials, using UDP, TCP, and DNS protocols for DDoS attacks. The CAPSAICIN botnet focuses on rapid deployment and actively terminates rival botnet processes on infected devices to maintain control. This botnet sends operating system information to a command and control server awaiting further commands. Researchers advise users to update router firmware, implement thorough monitoring, and use cybersecurity solutions to mitigate the threats posed by these botnets, highlighting the dangers of older devices and the crucial need for regular updates.

Recommended read:
References :
  • siliconangle.com: Botnets leverage decade-old D-Link vulnerabilities in new attack campaigns
  • : Fortinet : The fun don't stop with end-of-life D-Link products: Botnets like FICORA, a Mirai variant, and CAPSAICIN, a Kaiten variant, are exploiting , , , and . Only CVE-2015-2051 is in CISA's KEV Catalog. Indicators of compromise are provided.
  • www.fortinet.com: Fortinet : The fun don't stop with end-of-life D-Link products: Botnets like FICORA, a Mirai variant, and CAPSAICIN, a Kaiten variant, are exploiting , , , and . Only CVE-2015-2051 is in CISA's KEV Catalog. Indicators of compromise are provided.
  • The Hacker News: FICORA and Kaiten Botnets Exploit Old D-Link Vulnerabilities for Global Attacks
  • osint10x.com: Botnets Continue to Target Aging D-Link Vulnerabilities
  • Security Affairs: SecurityAffairs.com article on surge in FICORA and Kaiten botnet activity.
  • Cyber Security News: New Botnet Exploits D-Link Routers for Remote Control
  • Osint10x: Botnets Continue to Target Aging D-Link Vulnerabilities
  • SiliconANGLE: Botnets leverage decade-old D-Link vulnerabilities in new attack campaigns
  • : FICORA and Kaiten Botnets Exploit Old D-Link Vulnerabilities for Global Attacks
  • ciso2ciso.com: FICORA and Kaiten Botnets Exploit Old D-Link Vulnerabilities for Global Attacks
  • cyberpress.org: Researchers observed increased activity from Mirai variant “FICORA” and Kaiten variant “CAPSAICIN” botnets in late 2024 that exploited known vulnerabilities in D-Link devices, such as CVE-2024-33112.
  • CyberInsider: Unpatched D-Link routers worldwide targeted by new malware
  • ciso2ciso.com: CISO2CISO article on surge in FICORA and Kaiten botnet activity.
  • : Experts warn of a surge in activity associated FICORA and Kaiten botnets – Source: securityaffairs.com
  • securityonline.info: CVE-2024-33112 and More: How FICORA and CAPSAICIN Botnets Are Exploiting D-Link Devices
  • ciso2ciso.com: FICORA, CAPSAICIN Botnets Exploit Old D-Link Router Flaws for DDoS Attacks.
  • : FICORA, CAPSAICIN Botnets Exploit Old D-Link Router Flaws for DDoS Attacks – Source:hackread.com
  • ciso2ciso.com: FICORA, CAPSAICIN Botnets Exploit Old D-Link Router Flaws for DDoS Attacks – Source:hackread.com
  • securityonline.info: CVE-2024-33112 and More: How FICORA and CAPSAICIN Botnets Are Exploiting D-Link Devices
  • gbhackers.com: New Botnet Exploiting D-Link Routers To Gain Control Remotely
  • Security Risk Advisors: 🚩 Mirai “FICORA” and Kaiten “CAPSAICIN” Botnets Target Decade-Old D-Link Weaknesses
  • Techzine Global: Malware botnets abuse outdated D-Link routers
  • gbhackers.com: GBHackers article about a new botnet exploiting D-Link routers to gain control remotely.
  • sra.io: 🚩 Mirai “FICORA” and Kaiten “CAPSAICIN” Botnets Target Decade-Old D-Link Weaknesses
  • supportannouncement.us.dlink.com: D-Link Security Advisory
@supportportal.juniper.net - 72d

Mirai Botnet Targets Juniper Routers With Default Passwords - Juniper Networks warns of Mirai botnet exploiting Session Smart Routers due to unchanged default passwords and urges users to change them immediately.
Juniper Networks has issued a warning that their Session Smart Routers (SSR) are being targeted by the Mirai botnet. This malicious software is exploiting devices that still use default passwords, leading to infections and the routers being used as part of a distributed denial-of-service (DDoS) attacks. The company is urging all SSR users to change their default passwords immediately, following reports of anomalous activity since December 11, 2024.

The Mirai botnet is known for scanning networks for vulnerabilities and default credentials to gain access to devices. Once infected, these devices can be used to launch attacks against other systems. Juniper advises users to not only update passwords but also to audit access logs for suspicious activity, implement firewalls to block unauthorized access, and keep their software updated. If a system is infected, Juniper recommends reimaging the system entirely because changes made by the malware are hard to detect.

Recommended read:
References :
  • : Juniper : Juniper warns that customers with Juniper Session Smart Routers (SSR) are getting infected with Mirai DDoS botnet malware because they didn't change from the default password. 🤦‍♂️
  • supportportal.juniper.net: Juniper : Juniper warns that customers with Juniper Session Smart Routers (SSR) are getting infected with Mirai DDoS botnet malware because they didn't change from the default password. 🤦‍♂️
  • OODAloop: Juniper Networks is warning of a Mirai botnet which is targeting their session smart routers (SSR). Routers using default passwords are being targeted in the botnet infection campaign.
  • securityaffairs.com: Juniper Networks warns that a Mirai botnet is targeting Session Smart Router (SSR) products with default passwords.
  • The Hacker News: Juniper Networks is warning that Session Smart Router (SSR) products with default passwords are being targeted as part of a malicious campaign that deploys the Mirai botnet malware.
  • BleepingComputer: Juniper Networks has warned customers of Mirai malware attacks targeting and infecting Session Smart routers using default credentials.
  • www.bleepingcomputer.com: Juniper Networks has warned customers of Mirai malware attacks targeting and infecting Session Smart routers using default credentials.
  • AAKL: This is a couple of days-old. Juniper: Session Smart Router: Mirai malware found on systems when the default password remains unchanged ? More: Juniper Warns of Mirai Botnet Targeting SSR Devices with Default Passwords
  • social.tchncs.de: Juniper: Session Smart Router: Mirai malware found on systems when the default password remains unchanged
  • malware.news: Mirai botnet actively targeting vulnerable Juniper routers
  • www.scworld.com: Mirai botnet actively targeting vulnerable Juniper routers
  • Security Risk Advisors: The Hacker News article about Juniper routers being exploited by Mirai Botnet
  • Latest from TechRadar: TechRadar article about Mirai botnet targeting Juniper routers
@cyberscoop.com - 61d

Four-Faith Router Flaw Enables Remote Attacks - A critical vulnerability in Four-Faith routers allows for remote code execution, potentially leading to malware installation and data theft on over 15,000 devices.
A critical vulnerability, designated CVE-2024-12856, has been discovered in Four-Faith routers, specifically models F3x24 and F3x36, enabling remote code execution. The flaw resides in the `/apply.cgi` endpoint, where manipulation of the `adj_time_year` parameter allows attackers to inject malicious commands and gain unauthorized access. This post-authentication vulnerability bypasses security measures using default credentials, allowing attackers to open reverse shells back to their systems. Over 15,000 devices are estimated to be at high risk due to default credential use and internet exposure.

The exploitation of this vulnerability poses a serious threat, potentially leading to the installation of malware, data theft, and significant network disruptions. Observed attack attempts have been linked to a Mirai malware variant, suggesting a targeted campaign. Users of affected Four-Faith routers are urged to take immediate action by updating to the latest firmware and enforcing strong password policies. A Suricata rule has also been published by VulnCheck which helps to identify devices already affected.

Recommended read:
References :
  • ciso2ciso.com: Threat actors attempt to exploit a flaw in Four-Faith routers – Source: securityaffairs.com
  • Cyber Security News: Four-Faith Routers Hacked: Remote Access Vulnerability Exploited
  • gbhackers.com: GBHackers article on Four-Faith industrial routers vulnerability exploited in the wild to gain remote access.
  • www.bleepingcomputer.com: Threat actors are exploiting a post-authentication remote command injection vulnerability in Four-Faith routers tracked as CVE-2024-12856 to open reverse shells back to the attackers.
  • BleepingComputer: Threat actors are exploiting a post-authentication remote command injection vulnerability in Four-Faith routers tracked as CVE-2024-12856 to open reverse shells back to the attackers.
  • : Critical Flaw Exposes Four-Faith Routers to Remote Exploitation – Source:hackread.com
  • ciso2ciso.com: Critical Flaw Exposes Four-Faith Routers to Remote Exploitation – Source:hackread.com
  • cyberscoop.com: Thousands of industrial routers vulnerable to command injection flaw
  • cyberpress.org: Four-Faith Routers Hacked: Remote Access Vulnerability Exploited
  • ciso2ciso.com: Critical Flaw Exposes Four-Faith Routers to Remote Exploitation – Source:hackread.com
  • Threats | CyberScoop: Thousands of industrial routers vulnerable to command injection flaw
Zeljka Zorz@Help Net Security - 23d

Zyxel Issues No-Patch Warning for Exploited Zero-Days - Zyxel will not patch legacy DSL CPE products affected by actively exploited zero-day vulnerabilities, allowing attackers to execute arbitrary commands; users are advised to replace the devices.
Zyxel is warning users of its legacy DSL Customer Premises Equipment (CPE) products about actively exploited zero-day vulnerabilities that will not be patched. These vulnerabilities, identified as CVE-2024-40891 and CVE-2025-0890, allow attackers to execute arbitrary commands due to a combination of command injection flaws in the Telnet service and the presence of default credentials. This combination enables unauthenticated attackers to gain full control over affected routers, potentially leading to data theft, further attacks, and disruption of internet connectivity.

GreyNoise has observed attackers actively exploiting these vulnerabilities, including by Mirai-based botnets. The affected models, including VMG1312-B10A, VMG3926-B10B, and SBG3500, are end-of-life but remain in use and even available for purchase. Zyxel recommends replacing these devices with newer models and disabling Telnet access as immediate action. The default credentials such as "supervisor:zyad1234" and "zyuser:1234" are particularly problematic, providing easy access for attackers.

Recommended read:
References :
  • securityonline.info: Zyxel Routers Under Attack: Default Credentials (CVE-2025-0890) and Code Injection (CVE-2024-40891), No Patch!
  • Dataconomy: Taiwanese hardware maker Zyxel announced that it will not release a patch for two actively exploited vulnerabilities in multiple legacy DSL customer premises equipment (CPE) products.
  • securityonline.info: Security researchers have identified critical vulnerabilities in Zyxel Customer Premises Equipment (CPE), leaving countless users vulnerable.
  • Vulnerability-Lookup: Command injection and insecure default credentials vulnerabilities n certain legacy DSL CPE from Zyxel, has been published on Vulnerability-Lookup:
  • vulnerability.circl.lu: A new bundle, Command injection and insecure default credentials vulnerabilities n certain legacy DSL CPE from Zyxel, has been published on Vulnerability-Lookup:
  • BleepingComputer: Zyxel will not release a patch for two actively exploited vulnerabilities in multiple legacy DSL customer premises equipment (CPE) products.
@www.bleepingcomputer.com - 36d

Cloudflare Mitigates Massive DDoS and Leaks Location Data - Cloudflare mitigated a record-breaking 5.6 Tbps DDoS attack and addressed a CDN vulnerability that could expose users' location.
Cloudflare has recently mitigated a record-breaking 5.6 Tbps DDoS attack, showcasing the increasing sophistication and scale of cyber threats. The attack, a Mirai-variant botnet attack, originated from approximately 13,000 IoT devices and targeted an East Asian Internet Service Provider. This follows a previous 3.8 Tbps DDoS attack mitigated by Cloudflare in October 2024. The new attack which lasted only 80 seconds and was successfully defended by Cloudflare's automated systems, highlights a worrying trend of escalating hyper-volumetric attacks, with attacks over 1Tbps increasing by a staggering 1,885% from the previous quarter. The company also noted a 53% increase in the frequency of all DDoS attacks throughout 2024, blocking an average of 4,870 attacks per hour.

A vulnerability in Cloudflare's CDN has also been identified that could expose users' general location. This vulnerability, discovered by a security researcher, allows a person's location to be determined by simply sending an image on platforms such as Signal and Discord. Cloudflare's CDN caches media at data centers closest to users, allowing their general location to be determined through cached responses to an image. It was found that this type of location tracking could achieve an accuracy between 50 and 300 miles, potentially creating privacy and security concerns. While Cloudflare has addressed the specific vulnerability, it has been noted that location attacks could still be performed via other methods.

Recommended read:
References :
  • ciso2ciso.com: Cloudflare Mitigates Massive 5.6 Tbps Mirai-Variant DDoS Attack – Source:hackread.com
  • BleepingComputer: A security researcher discovered a flaw in Cloudflare's content delivery network (CDN), which could expose a person's general location by simply sending them an image on platforms like Signal and Discord.
  • www.scworld.com: User location data exposure threatened by Cloudflare CDN vulnerability

Blogs

Research Tools