Microsoft researchers have published a blog post, detailing new capabilities of the Mozi IoT botnet, which recruits IoT devices to conduct distributed denial-of-service (DDoS) attacks, data exfiltration, and command or payload execution.
The Mozi botnet has been around for a while now, and it continues to evolve. According to the researchers, the botnet now targets network gateways manufactured by Netgear, Huawei, and ZTE using infected devices as initial access point to corporate networks. It does so by using clever persistence techniques that are specifically adapted to each gateway’s particular architecture.
"By infecting routers, they can perform man-in-the-middle (MITM) attacks—via HTTP hijacking and DNS spoofing—to compromise endpoints and deploy ransomware or cause safety incidents in OT facilities," Microsoft said.
To increase chances of survival the malware prevents remote access by blocking the following TCP ports:
-
23—Telnet
-
2323—Telnet alternate port
-
7547—Tr-069 port
-
35000—Tr-069 port on Netgear devices
-
50023—Management port on Huawei devices
-
58000—Unknown usage
Owners of impacted network gateways should ensure that their devices are patched and up-to-date, and are protected by a strong password. This will help to prevent such attacks, Microsoft said.