The latest Mirai-based botnet is Wicked. Unlike previous Mirai variants and sibilings, which compromised IoT devices with default credentials or brute forcing credentials, Wicked is targetting vulnerabilities contained in certain IoT devices.
Wicked scans ports 8080, 8443, 80, and 81. Specifically it is targetting the following devices/vulnerabilities:
The Invoker Shell is interesting in that it does not exploit the device, but rather takes advantage of previously compromised web servers.
After successful exploitation, it downloads what appears to be Omni Bot, the same code delivered by the attacks on the DASAN GPON home routers, providing at least some anecdotal evidence that the two are related.
Fortinet has an excellent analysis of their research into this attempted exploitation.
Threatpost provides some more detail into the Wicked behaviour.
-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)
May 21st 2018
10 months ago