17 December 2019

New Mirai variant Echobot contains a total of 71 unique exploits, 13 previously unexploited in the wild


New Mirai variant Echobot contains a total of 71 unique exploits, 13 previously unexploited in the wild

The Mirai variant known as Echobot has resurfaced once again with an increased number of vulnerabilities it can exploit in devices, with the latest version incorporating a whopping total of 71 unique exploits, 13 of which haven’t been seen exploited in the wild until recently. These range from ancient CVEs going as far back as 2003, to newer vulnerabilities made public as recently as early December 2019, suggesting the attackers are aiming at both legacy devices that are too old and can’t be patched due to compatibility issues, and fresh vulnerabilities that are too recent for owners to have patched.

The Echobot strain was first seen in the wild in May 2019. The latest version first emerged on October 28th, 2019 for a couple of hours, after which it was taken down. It then resurfaced on the 3rd of December, switching payload IPs and finally adding 2 more exploits that weren’t in the samples from October.

“The newly incorporated exploits target a range of devices from the usually expected routers, firewalls, IP cameras and server management utilities, to more rarely seen targets like a PLC, an online payment system and even a yacht control web application," according to Palo Alto Networks’ Unit 42 latest posting.

One of the more unusual flaws includes CVE-2019-17270, an RCE-vulnerability in the above mentioned Yachtcontrol webservers, which allow yacht owners to remotely control the functions of their vessels.

“It’s possible to perform direct operating system commands as an unauthenticated user via the ‘/pages/systemcall.php?command={COMMAND}’ page and parameter, where {COMMAND} will be executed and returning the results to the client,” the description of the bug reads.

Other recently added exploits are listed below:

CVE-2019-18396

AVCON6RCE

CVE-2019-16072

CVE-2019-14931

Sar2HTMLRCE

CVE-2017-16602

CVE-2017-6316

CVE-2013-5912

ACTiASOC2200RCE

3ComOfficeConnectRCE

CVE-2006-4000

CCBillRCE

“The Mirai variant ECHOBOT differentiates itself from concurrent variants by the sheer volume of vulnerabilities targeted, as opposed to other variants that stick to certain vulnerabilities that have proven effective over time,” the researchers said.

“We are unable to speculate at this point in time on the overall effectiveness of their approach – be it the use of a large number of exploits, or the choice of the exploits themselves,” they added.

The full list of the CVEs Echobot exploits and Indicators of Compromise (IoCs) can be found in the last part of Palo Alto’s blog post.

 

Back to the list

Latest Posts

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024
Sophisticated malware campaign targeting end-of-life routers and IoT devices

Sophisticated malware campaign targeting end-of-life routers and IoT devices

A recent campaign targeted over 6,000 ASUS routers in less than 72 hours.
27 March 2024
Chinese APT groups target Southeast Asian nations in cyberespionage campaigns

Chinese APT groups target Southeast Asian nations in cyberespionage campaigns

The observed cyberattack employed phishing emails as the primary method of infiltration.
27 March 2024