Listen to this Post
2025-01-29
Akamai researchers have discovered a new variant of the notorious Mirai-based botnet known as Aquabot. This new version, dubbed Aquabotv3, specifically targets a vulnerability in Mitel SIP phones. The botnet, which has been evolving since its initial appearance in 2023, continues to pose a significant threat due to its ability to exploit command injection vulnerabilities. In this article, we’ll delve into the details of Aquabotv3, how it exploits the Mitel vulnerability, and the potential implications for cybersecurity professionals and organizations.
Summary
Akamai has uncovered a new version of the Mirai-based Aquabot botnet, identified as Aquabotv3. This variant targets the command injection vulnerability CVE-2024-41710, affecting Mitel SIP phones. The vulnerability impacts Mitel’s 6800, 6900, and 6900w series phones, including the 6970 Conference Unit. Mitel addressed the flaw in mid-July 2024 with firmware updates. However, a Proof of Concept (PoC) exploit was released by researcher Kyle Burns a month later, detailing how attackers could exploit the flaw.
The Aquabotv3 botnet introduces a novel function in Mirai-based malware, including unique communication to the command and control server (C2) when specific signals are detected. This new functionality is seen as a significant departure from previous variants, making it a distinct iteration of the botnet. Additionally, Aquabotv3 continues to target vulnerabilities in other products, such as Hadoop YARN and various routers, alongside exploiting the Mitel vulnerability.
The threat actors behind Aquabot have advertised their botnet on platforms like Telegram, often under the guise of offering DDoS mitigation services. However, experts warn that these claims are misleading, as the botnet is primarily used to conduct real DDoS attacks.
What Undercode Says:
The release of Aquabotv3 marks a notable evolution in the capabilities of Mirai-based botnets. While the core of Aquabot remains unchanged from its predecessors, the of new features and targeted vulnerabilities suggests a growing sophistication in its deployment.
1. Innovative C2 Communication:
One of the standout features of Aquabotv3 is its use of signal handling and the ability to report to its command and control server when certain kill signals are detected on the infected device. This introduces a level of communication previously unseen in Mirai-based botnets. It hints at a possible intentional shift by threat actors to monitor and possibly evade countermeasures from cybersecurity professionals or competing botnets.
2. Exploitation of Mitel Vulnerability:
The CVE-2024-41710 flaw, which affects Mitel SIP phones, is particularly concerning as it allows for command injection attacks. While Mitel addressed the flaw in mid-2024 with firmware updates, the release of a PoC exploit code made it clear that the vulnerability could be easily weaponized. This highlights a critical issue in the rapid pace at which botnet operators can exploit newly discovered vulnerabilities, often before organizations can patch them.
3. Targeting IoT Devices and Routers:
In typical Mirai fashion, Aquabotv3 continues to expand its reach by targeting a wide array of devices, including IoT products and routers from various manufacturers such as Linksys, Teltonika, and LB-LINK. This diversification makes it harder for network defenders to pinpoint and mitigate attacks, as the botnet can evolve to exploit multiple weaknesses across a broad spectrum of devices.
4. DDoS-as-a-Service:
The emergence of Aquabot as a DDoS-as-a-service is another worrying trend. Threat actors are increasingly advertising their botnets as tools for DDoS mitigation testing, often on forums or Telegram channels. This makes it harder to distinguish between legitimate users and malicious actors, especially since these botnets are frequently used for real-world attacks once they’ve gathered enough infected devices.
5. Impact on Enterprise Networks:
Given that Aquabot targets both consumer devices (routers) and enterprise-grade equipment (SIP phones), its impact could be far-reaching. The botnet’s use of command injection and its capability to exploit other vulnerabilities makes it a significant threat to a variety of sectors, including telecommunications, enterprise IT, and IoT infrastructure. Organizations that rely on Mitel systems or similar hardware must be proactive in securing their networks to avoid falling victim to Aquabotv3.
6. Security Implications and Future Trends:
The fact that Aquabotv3 exhibits unique features, such as kill signal detection and specific signal-handling behavior, could be indicative of future trends in botnet development. This behavior suggests that threat actors are not only aiming for maximum destruction but are also focused on evading detection. The possibility that the operators of Aquabot are learning from security experts and adjusting their tactics based on countermeasures is a concerning development.
Moreover, the increased use of Telegram and similar platforms to market these botnets is part of a broader trend where cybercriminals are using legitimate platforms to operate in the open. This means that network defenders must not only focus on technical countermeasures but also monitor these platforms to identify early warning signs of an attack.
In conclusion, while Aquabotv3 does not introduce entirely new technology, its unique features and expanding target list make it a more formidable threat. As botnets like Aquabot continue to evolve, cybersecurity professionals must remain vigilant and proactive in applying patches and monitoring their networks for signs of compromise. The landscape of DDoS attacks is changing, and botnets like Aquabot are likely to play a central role in future attacks.
References:
Reported By: Securityaffairs.com
https://www.linkedin.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.help
