18 June 2019

Echobot botnet includes 26 new exploits, targets IoT devices, Oracle, VMware apps

Echobot botnet includes 26 new exploits, targets IoT devices, Oracle, VMware apps

Operators of a relatively new botnet called Echobot are adding new exploits to their arsenal to infect a wide range of systems, including IoT devices, enterprise apps Oracle WebLogic and VMware SD-Wan.

The Echobot botnet is based on the Mirai malware and was first observed by PaloAlto Networks’ researchers at the beginning of June, 2019. At the time of its discovery, Echobot contained 18 exploits (8 of them are totally new to Mirai malware). But recently Akamai’s Security Intelligence Response Team (SIRT) has spotted a new version of botnet, which currently utilizes 26 different exploits to propagate.

According to Akamai Technologies expert Larry Cashdollar, in new version of Echobot its operators added exploits for AirOS, Asmax, DD-WRT, D-Link, Linksys, Seowon Intech, Yealink and Zeroshell products to the list of previously observed Echobot exploits for products from ADM, Asus, Belkin, Blackbot, Dell, Dreambox, Geutebruck, HooToo, Netgear, NUUO, Oracle, Realtek, SuperSign, UMotion, VeraLite, VMware, wePresent and WIFICAM. Most of the exploits is for well-known command execution vulnerabilities in various networked devices.

“What I found the most interesting, and not so surprising, is the inclusion of cross-application vulnerabilities. For example, rather than sticking to devices with embedded OSs like routers, cameras, and DVRs, IoT botnets are now using vulnerabilities in enterprise web (Oracle WebLogic) and networking software (VMware SD-WAN) to infect targets and propagate malware,” wrote Cashdollar in the company blog.

The list of exploits includes not only recent vulnerabilities, but also decade-old ones that have remained unpatched by vendors. This approach shows that malware authors do not care about the age of the bug as long as there is a substantial amount of vulnerable devices.

Cashdollar also has found that the command and control servers are set for the domains akumaiotsolutions[.]pw and akuma[.]pw, although they do not resolve to an IP address.

Back to the list

Latest Posts

“Agent Smith” malware infected more than 25 million Android devices

“Agent Smith” malware infected more than 25 million Android devices

The malware leverages known Android exploits and automatically replaces installed apps with malicious clones without users’ knowledge or interaction.
15 July 2019
Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Since the beginning of the campaign in April 2019 the group has continuously been scanning the Internet for insecure Amazon S3 buckets.
12 July 2019
Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

The exploit for CVE-2019-1132 created by the Buhtrap group relies on popup menu objects.
11 July 2019
Featured vulnerabilities
Denial of service in MatrixSSL
Medium Patched | 15 Jul, 2019
Denial of service in Apple iMessage
Medium Patched | 15 Jul, 2019
Multiple vulnerabilities in Redis
Medium Patched | 11 Jul, 2019
Reverse Tabnabbing in Quill
Low Not Patched | 11 Jul, 2019
Remote code injection in domokeeper
High Not Patched | 11 Jul, 2019