Qihoo 360 Netlab researchers reported on Friday that they are tracking an uptick in botnet activity associated with a variant of Mirai. Targeted are ports 23 and 2323 on internet-connected devices made by ZyXEL Communications that are using default admin/CenturyL1nk and admin/QwestM0dem telnet credentials.
“About 60 hours ago, since 2017-11-22 11:00, we noticed big upticks on port 2323 and 23 scan traffic, with almost 100k unique scanner IP came from Argentina,” wrote researchers in a blog post on Friday. “After investigation, we are quite confident to tell this is a new Mirai variant.”
In October 2016, Mirai malware spread itself to IoT devices gaining access via default password and usernames. The malware then roped affected devices into a botnet and carried out distributed denial of service (DDoS) attacks. The largest of such attacks flooded DNS provider Dyn causing several well-known websites – Twitter, Spotify and Netflix – to go dark for hours.
Netlab said that this new Mirai variant is actively leveraging two new credentials, admin/CenturyL1nk and admin/QwestM0dem, identified in an exploit database last month.
Researchers said adversaries have automated the process of logging into ZyXEL devices using telnet credentials and coupled that with a separate hard coded superuser vulnerability (CVE-2016-10401) to gain root privileges on targeted devices.
“ZyXEL PK5001Z devices have zyad5001 as the su (superuser) password, which makes it easier for remote attackers to obtain root access if a non-root account password is known (or a non-root default account exists within an ISP’s deployment of these devices),” according to the CVE description of the vulnerability.
Speaking with the publication Bleeping Computer, Netlab researchers said there has been a spike by attackers leveraging publicly disclosed details of the exploit since it was released in October.
“The PoC published last month automates the process of logging into a remote ZyXEL device using one of the two telnet passwords, and then uses the hardcoded su password to gain root privileges,” researchers told the Bleepining Computer website.
According to Qihoo 360 researchers, the abuse of these two credentials began on Nov. 22 and reached its peak the next morning. Researchers said most of the scanner IP traffic originated in Argentina with about 65.7k unique scanners in less than a single day and 100k over Thursday and Friday.
“Even a year after the initial release, Mirai botnet infections are still widespread, a troubling indicator poor cybersecurity practices across all industries,” said SecurityScorecard in report released this fall. “SecurityScorecard identified 184,258 IPv4 addresses as IoT devices infected with Mirai IoT malware from August 1, 2016 to July 31, 2017.”
It’s not the first time that researchers, or attackers for that matter, have managed to undermine the security of equipment made by ZyXEL.
In June, Stefan Viehböck, a researcher with SEC Consult Vulnerability Lab, discovered WiMAX routers manufactured by ZyXEL were vulnerable to an authentication bypass that could let an attacker change the password of the admin user, gain access to the device, or the network behind it.
In January, researcher Pedro Ribeiro of Agile Information Security found accessible admin accounts and command injection vulnerabilities in ZyXEL routers distributed by TrueOnline, Thailand’s largest broadband company.
“This make us wondering it is an attack focus on several specific types of IoT device, and these devices are widely deployed in Argentina, just as what happened in last year Telekom event,” Netlab researchers wrote on Friday.