Mirai and Gafgyt target Apache Struts and SonicWall to hit enterprises

Security experts with Unit 42 at Palo Alto Networks have discovered new variants of the Mirai and Gafgyt IoT malware targeting enterprises.

Both botnets appear very interesting for two main reasons:

The new Mirai variant targets the same Apache Struts vulnerability exploited in the 2017 Equifax data breach. The vulnerability affects the Jakarta Multipart parser upload function in Apache and could be exploited by an attacker to make a maliciously crafted request to an Apache web server.
The new Gafgyt variant targets a newly disclosed vulnerability affecting older, unsupported versions of SonicWall’s Global Management System (GMS).

The fact that bot malicious codes are targeting Apache Struts and SonicWall could indicate a shift from consumer device targets to enterprise targets.

“These developments suggest these IOT botnets are increasingly targeting enterprise devices with outdated versions.” reads the analysis published by Palo Alto Networks.

“All organizations should ensure they keep not only their systems up-to-date and patched, but also their IoT devices.”

In September the experts detected Mirai samples that include the exploit code for 16 vulnerabilities, for the first time the malware target vulnerability in Apache Struts.

The samples are hosted on a domain that in August resolved to a different IP address August. In August, the same IP address was intermittently hosting samples of Gafgyt that were including the exploit code to trigger the CVE-2018-9866 flaw affecting older versions of SonicWall Global Management System (GMS).

The same domain has also been found associated with other Mirai activity in the past.

“For part of the month of August 2018, that same domain resolved to a different IP address 185[.]10[.]68[.]127.” continues the analysis. “At that time we found that IP hosting samples of Gafgyt containing an exploit for a recently disclosed SonicWall vulnerability (CVE-2018-9866) affecting older, unsupported versions of SonicWall Global Management System (GMS) (8.1 and older) that is not present in currently supported versions.”

Experts noticed that the new Mirai samples don’t include the bruteforce functionality differently from other variants, they use l[.]ocalhost[.]host:47883 as C2, and implement the same encryption scheme as Mirai with the key 0xdeadf00d.

The Gafgyt samples first appeared in the wild on August 5, a few days after the publication of a Metasploit module for the SonicWall issue. The samples borrow the code from Gafgyt rather than Mirai.

“The incorporation of exploits targeting Apache Struts and SonicWall by these IoT/Linux botnets could be an indication of a larger movement from consumer device targets to enterprise targets.” concludes Palo Alto Networks.

Further details, including IoCs, are reported in the analysis published by the experts.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Securi ty Affairs – IoT botnet, Mirai)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.