Echobot IoT Botnet Casts a Wide Net with Raft of Exploit Additions

echobot iot botnet

13 new exploits have been added to the malware’s bag of tricks.

A variant of the Mirai Internet of Things (IoT) botnet known as “Echobot” has added 13 more vulnerability exploits to its bag of infiltration tricks, according to researchers. These target a range of devices, including routers, firewalls, IP cameras, server management utilities, a programmable logic controller used in industrial environments, an online payment system and even a Yachtcontrol web application.

The new additions range from old CVEs (one from 2006 is for Barracuda spam firewalls) to a bug that was disclosed just in early December. They bring the latest version of the malicious code to having a total of 71 unique exploits.

IoT botnets are bent on infecting connected devices in order to marshal their resources to carry out various nefarious activities, such as carrying out distributed denial-of-service (DDoS) attacks. As such, casting a wide net is a savvy strategy to scale the botnet.

Webinar Promotion for December

“One could risk a guess that the attackers could potentially be aiming for the sweet spots of IoT vulnerabilities, targeting either legacy devices that are still in use but probably too old to update due to compatibility issues and newer vulnerabilities that are too recent for owners to have patched,” according to researchers at Palo Alto Networks’ Unit 42 division, in a recent posting.

One of the more unusual bugs includes CVE-2019-17270, a remote code execution flaw in the previously mentioned Yachtcontrol webservers, which allow yacht owners to remotely control the functions of their vessels.

“It’s possible to perform direct operating system commands as an unauthenticated user via the ‘/pages/systemcall.php?command={COMMAND}’ page and parameter, where {COMMAND} will be executed and returning the results to the client,” according to the bug advisory.

CCBill Online Payment Systems was also targeted in the new version; CCBill handles online e-commerce payments for around 30,000 e-tailers, according to its website.

And, Echobot has added an exploit for a command-injection bug in the Citrix NetScaler SD-WAN product used by businesses to connect branch locations.

The latest version appeared in October “for a couple of hours” with 11 new bugs before it went back offline, according to Unit 42; then it resurfaced in early December with two additional exploits.

“These vulnerabilities haven’t been previously seen exploited in the wild prior to this version,” according to the posting.

Mirai variants continue  to crop up; in October 2016, Mirai malware spread itself to IoT devices gaining access via default password and usernames. The malware then roped affected devices into a botnet and carried out DDoS attacks. The largest of such attacks flooded DNS provider Dyn causing several well-known websites to go dark for hours. Mirai’s source code was subsequently leaked, leading to the rise of several other copycat botnets, including Echobot.

Free Threatpost Webinar: Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn’t mean forfeiting security. Join us on Dec. 18th at 2 pm EST as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint’s Lance James. Click here to register.

Suggested articles