Something Wicked this way comes
Last Updated: 2018-05-21 15:03:29 UTC
by Rick Wanner (Version: 1)
The latest Mirai-based botnet is Wicked. Unlike previous Mirai variants and sibilings, which compromised IoT devices with default credentials or brute forcing credentials, Wicked is targetting vulnerabilities contained in certain IoT devices.
Wicked scans ports 8080, 8443, 80, and 81. Specifically it is targetting the following devices/vulnerabilities:
- 80: Invoker Shell in compromised Web Servers
- 81 - CCTV-DVR
- 8443 - Netgear R7000 and R6400 (CVE-2016-6277)
- 8080 - Netgear DGN1000 and DGN2200
The Invoker Shell is interesting in that it does not exploit the device, but rather takes advantage of previously compromised web servers.
After successful exploitation, it downloads what appears to be Omni Bot, the same code delivered by the attacks on the DASAN GPON home routers, providing at least some anecdotal evidence that the two are related.
Fortinet has an excellent analysis of their research into this attempted exploitation.
Threatpost provides some more detail into the Wicked behaviour.
-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)