Mirai Botnet Exploits Zero-Day Vulnerabilities in Routers for Global DDoS Attacks
In the wave of digitalization and industrial transformation, strongly supported by artificial intelligence (AI), Vietnam is facing an unprecedented cybersecurity threat from a new variant of the Mirai botnet. With its sophisticated attack capabilities and tremendous destructive power, this botnet is causing deep concerns for the cybersecurity community both domestically and internationally.
Detailed information
According to FPT Threat Intelligence, this new Mirai variant has built a network of 15,000 compromised devices, operating continuously 24/7. Particularly dangerous, this botnet can exploit undiscovered zero-day vulnerabilities in industrial routers and IoT devices, making defense extremely difficult.
According to traffic monitoring services provided by the cloud service provider, the DDoS attack traffic for one incident is estimated to be around 100GB.
In Vietnam, as an emerging market in the industrial and digital sectors, this situation is becoming even more serious. Many large industrial zones in Bac Ninh, Bac Giang, Hai Phong, and Dong Nai are using industrial routers that can be exploited through these vulnerabilities. Additionally, the wave of smart home device adoption is creating fertile ground for botnets to grow.
These botnet malware exploit a combination of public and private methods for over 20 vulnerabilities to spread to internet-connected devices, targeting DVRs, industrial and home routers, and smart home devices.
Specifically, it targets the following devices:
ASUS routers (through N-day vulnerabilities)
Huawei routers (via CVE-2017-17215)
Neterbit routers (custom exploits)
LB-Link routers (via CVE-2023-26801)
Four-Faith industrial routers (through a zero-day vulnerability currently tracked as CVE-2024-12856)
PZT cameras (via CVE-2024-8956 and CVE-2024-8957)
Kguard DVRs
Lilin DVRs (through remote code execution vulnerabilities)
Generic DVRs (using vulnerabilities like TVT editBlackAndWhiteList RCE)
Vimar smart home devices (potentially using undisclosed vulnerabilities)
Various 5G/LTE devices (possibly through misconfiguration or weak credentials)
With increasingly sophisticated attack capabilities and tremendous destructive power, the new Mirai botnet is a major challenge for Vietnam's cybersecurity. Proactively implementing preventive solutions and raising awareness about cybersecurity is a critical requirement for all organizations and businesses at this time. Only close coordination between stakeholders can minimize risks and effectively protect network systems from these increasingly complex threats.
ATTACK TRENDS IN VIETNAM
The new Mirai botnet is showing worrying attack trends:
Main Targets:
Security cameras (IP cameras).
Low-cost routers from popular manufacturers.
Home IoT devices like smart TVs, DVRs, and smart home controllers.
Industrial zones with foreign investment.
Financial and banking systems.
Critical industrial infrastructure.
IoT networks in residential environments.
Reasons:
The rate of using low-cost IoT devices in Vietnam is high, with many devices still using default passwords or not being updated regularly.
Security awareness among individual users and small businesses is limited.
Commonly exploited vulnerabilities:
CVE-2020-3452: Vulnerability in Cisco ASA network devices.
CVE-2021-36260: Vulnerability in Hikvision cameras.
CVE-2022-30525: Vulnerability in Zyxel routers.
Exploitation method: Mirai uses automated scripts to scan and exploit vulnerabilities on a large scale, turning compromised devices into zombies in the botnet.
DDOS attack methods:
Attacks by sending large amounts of SYN, HTTP, or UDP packets to overload the system.
Using infected devices in Vietnam as a source to attack targets both domestically and internationally.
The development of AI in botnets: Some new variants use machine learning techniques to detect and exploit vulnerable devices. This leads to new variants having the ability to integrate more complex vulnerability exploits, targeting various platforms.
CONSEQUENCES
The new attacks from the Mirai botnet can cause serious consequences for Vietnam's economy:
Direct damage:
Disruption in production at FDI factories can result in losses of hundreds of billions of dong each day
Paralysis of banking and electronic payment systems affects economic transactions
Increased costs for recovery and attack prevention
Indirect impact:
Affects the reputation and competitiveness of Vietnamese businesses
Reduces foreign investors' confidence
Disrupts the supply chain in the region
Recommendations
FPT Threat Intelligence recommends urgent and effective protective measures to deal with new variants of the Mirai botnet:
Regularly update the list of IOC (Indicators of Compromise) for Mirai variants and add them to the blacklist on the firewall system (you can contact FPT Threat Intelligence for monthly updates).
Mirai often targets IoT devices with weak security (IP cameras, routers, DVRs, etc.). Check the list of devices and ensure they are updated with the latest software (firmware).
If the manufacturer has released a patch, update immediately to fix vulnerabilities.
Stop using unsupported devices: If a device is no longer supported, replace it with new devices with better security.
Change default passwords: Use strong, unique passwords for all IoT devices.
Disable unnecessary services: Turn off Telnet and SSH if not in use.
Network protection:
Configure the firewall to limit access from the Internet.
Use a virtual private network (VPN) if remote access is needed.
Separate the network for IoT devices (create VLAN or separate network).
Use DDoS protection services: Subscribe to services from providers like Cloudflare, Akamai, or Arbor Networks to mitigate attack impacts.
Apply bandwidth limits to IoT devices to reduce the risk of exploitation.
Device scanning and cleaning tools: Use the Mirai Scanner tool to detect infected devices.
IOCs
IP
123.249.103.79 China|Beijing|Beijing City AS55990|HUAWEI
123.249.109.227 China|Beijing|Beijing City AS55990|HUAWEI
123.249.111.22 China|Beijing|Beijing City AS55990|HUAWEI
123.249.116.30 China|Beijing|Beijing City AS55990|HUAWEI
123.249.116.81 China|Beijing|Beijing City AS55990|HUAWEI
123.249.126.147 China|Beijing|Beijing City AS55990|HUAWEI
123.249.64.207 China|Beijing|Beijing City AS55990|HUAWEI
123.249.68.177 China|Beijing|Beijing City AS55990|HUAWEI
123.249.82.162 China|Beijing|Beijing City AS55990|HUAWEI
123.249.82.229 China|Beijing|Beijing City AS55990|HUAWEI
123.249.87.110 China|Beijing|Beijing City AS55990|HUAWEI
123.249.90.104 China|Beijing|Beijing City AS55990|HUAWEI
123.249.90.23 China|Beijing|Beijing City AS55990|HUAWEI
123.249.91.159 China|Beijing|Beijing City AS55990|HUAWEI
123.249.94.157 China|Beijing|Beijing City AS55990|HUAWEI
123.249.99.231 China|Beijing|Beijing City AS55990|HUAWEI
124.71.235.245 China|Beijing|Beijing City AS55990|HUAWEI
176.97.210.250 Germany|Hessen|Frankfurt am Main AS49581|Ferdinand Zink trading as Tube-Hosting
178.211.139.105 Poland|Mazowieckie|Warsaw AS201814|MEVSPACE sp. z o.o.
178.211.139.196 Poland|Mazowieckie|Warsaw AS201814|MEVSPACE sp. z o.o.
178.211.139.241 Poland|Mazowieckie|Warsaw AS201814|MEVSPACE sp. z o.o.
185.16.39.37 Poland|Mazowieckie|Warsaw AS201814|MEVSPACE sp. z o.o.
193.32.162.34 The Netherlands|None|None AS47890|UNMANAGED LTD
193.34.214.123 Poland|Mazowieckie|Warsaw AS201814|MEVSPACE sp. z o.o.
193.42.12.166 Germany|Hessen|Frankfurt am Main AS58212|dataforest GmbH
194.50.16.198 The Netherlands|Noord-Holland|Amsterdam AS49870|Alsycon B.V.
198.98.51.91 United States|New York|Staten Island AS53667|FranTech Solutions
198.98.54.234 United States|New York|Staten Island AS53667|FranTech Solutions
209.141.32.195 United States|Nevada|Las Vegas AS53667|FranTech Solutions
209.141.51.21 United States|Nevada|Las Vegas AS53667|FranTech Solutions
37.114.63.100 Germany|Hessen|Frankfurt am Main AS60461|intercolo GmbH
45.128.232.200 Bulgaria|Sofia|Sofia AS202685|Aggros Operations Ltd.
45.142.122.187 Russia|Moscow|Moscow AS210644|AEZA GROUP Ltd
45.142.182.126 Germany|None|None AS44592|SkyLink Data Center BV
45.145.41.175 United States|Washington|Seattle AS205770|SC ITNS.NET SRL
45.148.10.230 The Netherlands|Noord-Holland|Amsterdam AS48090|PPTECHNOLOGY LIMITED
45.95.147.211 The Netherlands|Noord-Holland|Amsterdam AS49870|Alsycon B.V.
5.181.188.158 Poland|Mazowieckie|Warsaw AS201814|MEVSPACE sp. z o.o.
70.36.99.15 United States|California|Los Angeles AS22439|Perfect International, Inc
77.90.22.10 Germany|Hessen|Frankfurt am Main AS12586|GHOSTnet GmbH
77.90.22.35 Germany|Hessen|Frankfurt am Main AS12586|GHOSTnet GmbH
94.156.10.163 Bulgaria|None|None AS0|
94.156.10.164 Bulgaria|None|None AS0|
95.214.53.211 Poland|Mazowieckie|Warsaw AS201814|MEVSPACE sp. z o.o.
95.214.54.53 Poland|Mazowieckie|Warsaw AS201814|MEVSPACE sp. z o.o.
Downloader
101.42.158.190 China|Beijing|Beijing City AS45090|Tencent
101.43.141.112 China|Beijing|Beijing City AS45090|Tencent
107.189.28.60 Luxembourg|Luxembourg|Luxembourg AS53667|FranTech Solutions
108.233.83.51 United States|California|Santa Clara AS7018|AT&T
1.13.102.222 China|Jiangsu|Nanjing City AS45090|Tencent
152.32.237.129 United States|Virginia|Reston AS135377|UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED
193.32.162.34 The Netherlands|None|None AS47890|UNMANAGED LTD
198.98.54.234 United States|New York|Staten Island AS53667|FranTech Solutions
203.23.159.152 Australia|Victoria|Southbank AS9648|Australia On Line Pty Ltd
209.141.32.148 United States|Nevada|Las Vegas AS53667|FranTech Solutions
209.141.35.56 United States|Nevada|Las Vegas AS53667|FranTech Solutions
209.141.51.21 United States|Nevada|Las Vegas AS53667|FranTech Solutions
209.141.55.38 United States|Nevada|Las Vegas AS53667|FranTech Solutions
209.141.57.222 United States|Nevada|Las Vegas AS53667|FranTech Solutions
37.114.63.100 Germany|Hessen|Frankfurt am Main AS60461|intercolo GmbH
45.142.122.187 Russia|Moscow|Moscow AS210644|AEZA GROUP Ltd
65.175.140.164 United States|Massachusetts|Boston AS11776|Breezeline
77.90.22.35 Germany|Hessen|Frankfurt am Main AS12586|GHOSTnet GmbH
95.214.53.211 Poland|Mazowieckie|Warsaw AS201814|MEVSPACE sp. z o.o.
meowware.ddns.net
CC
meowware.ddns.net
Sample SHA1
3287158c35c93a23b79b1fbb7c0e886725df5faa
ba9224828252e0197ea5395dad9bb39072933910
fe72a403f2620161491760423d21e6a0176852c3
References
New Mirai botnet targets industrial routers with zero-day exploits <https://www.bleepingcomputer.com/news/security/new-mirai-botnet-targets-industrial-routers-with-zero-day-exploits/>
Mirai.TBOT – biến thể nguy hiểm của mã độc Mirai <https://ncsgroup.vn/mirai-tbot-bien-the-nguy-hiem-cua-ma-doc-mirai/>
A Botnet Deliver Through a Four-Faith Industrial Router 0-day Exploit <https://blog.xlab.qia.nxin.com/gayfemboy-en/>
