The Mirai variant known as Echobot has resurfaced once again with an increased number of vulnerabilities it can exploit in devices, with the latest version incorporating a whopping total of 71 unique exploits, 13 of which haven’t been seen exploited in the wild until recently. These range from ancient CVEs going as far back as 2003, to newer vulnerabilities made public as recently as early December 2019, suggesting the attackers are aiming at both legacy devices that are too old and can’t be patched due to compatibility issues, and fresh vulnerabilities that are too recent for owners to have patched.
The Echobot strain was first seen in the wild in May 2019. The latest version first emerged on October 28th, 2019 for a couple of hours, after which it was taken down. It then resurfaced on the 3rd of December, switching payload IPs and finally adding 2 more exploits that weren’t in the samples from October.
“The newly incorporated exploits target a range of devices from the usually expected routers, firewalls, IP cameras and server management utilities, to more rarely seen targets like a PLC, an online payment system and even a yacht control web application," according to Palo Alto Networks’ Unit 42 latest posting.
One of the more unusual flaws includes CVE-2019-17270, an RCE-vulnerability in the above mentioned Yachtcontrol webservers, which allow yacht owners to remotely control the functions of their vessels.
“It’s possible to perform direct operating system commands as an unauthenticated user via the ‘/pages/systemcall.php?command={COMMAND}’ page and parameter, where {COMMAND} will be executed and returning the results to the client,” the description of the bug reads.
Other recently added exploits are listed below:
CVE-2019-18396
AVCON6RCE
CVE-2019-16072
CVE-2019-14931
Sar2HTMLRCE
CVE-2017-16602
CVE-2017-6316
CVE-2013-5912
ACTiASOC2200RCE
3ComOfficeConnectRCE
CVE-2006-4000
CCBillRCE
“The Mirai variant ECHOBOT differentiates itself from concurrent variants by the sheer volume of vulnerabilities targeted, as opposed to other variants that stick to certain vulnerabilities that have proven effective over time,” the researchers said.
“We are unable to speculate at this point in time on the overall effectiveness of their approach – be it the use of a large number of exploits, or the choice of the exploits themselves,” they added.
The full list of the CVEs Echobot exploits and Indicators of Compromise (IoCs) can be found in the last part of Palo Alto’s blog post.