Mirai and Gafgyt target Apache Struts and SonicWall to hit enterprises

Security experts with Unit 42 at Palo Alto Networks have discovered new variants of the Mirai and Gafgyt IoT malware targeting enterprises.

Both botnets appear very interesting for two main reasons:

• The new Mirai variant targets the same Apache Struts vulnerability exploited in the 2017 Equifax data breach. The vulnerability affects the Jakarta Multipart parser upload function in Apache and could be exploited by an attacker to make a maliciously crafted request to an Apache web server.
• The new Gafgyt variant targets a newly disclosed vulnerability affecting older, unsupported versions of SonicWall’s Global Management System (GMS).

The fact that bot malicious codes are targeting Apache Struts and SonicWall could indicate a shift from consumer device targets to enterprise targets.

“These developments suggest these IOT botnets are increasingly targeting enterprise devices with outdated versions.” reads the analysis published by Palo Alto Networks.

“All organizations should ensure they keep not only their systems up-to-date and patched, but also their IoT devices.” 

In September the experts detected Mirai samples that include the exploit code for 16 vulnerabilities, for the first time the malware target vulnerability in Apache Struts.

The samples are hosted on a domain that in August resolved to a different IP address August. In August, the same IP address was intermittently hosting samples of Gafgyt that were including the exploit code to trigger the CVE-2018-9866 flaw affecting older versions of SonicWall Global Management System (GMS).

The same domain has also been found associated with other Mirai activity in the past.

“For part of the month of August 2018, that same domain resolved to a different IP address 185[.]10[.]68[.]127.” continues the analysis. “At that time we found that IP hosting samples of Gafgyt containing an exploit for a recently disclosed SonicWall vulnerability (CVE-2018-9866) affecting older, unsupported versions of SonicWall Global Management System (GMS) (8.1 and older) that is not present in currently supported versions.” 

Experts noticed that the new Mirai samples don’t include the bruteforce functionality differently from other variants, they use l[.]ocalhost[.]host:47883 as C2, and implement the same encryption scheme as Mirai with the key 0xdeadf00d.

The Gafgyt samples first appeared in the wild on August 5, a few days after the publication of a Metasploit module for the SonicWall issue.  The samples borrow the code from Gafgyt rather than Mirai.

“The incorporation of exploits targeting Apache Struts and SonicWall by these IoT/Linux botnets could be an indication of a larger movement from consumer device targets to enterprise targets.” concludes Palo Alto Networks.

Further details, including IoCs, are reported in the analysis published by the experts.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – IoT botnet, Mirai)

[adrotate banner=”5″]

[adrotate banner=”13″]