Echobot Botnet Spreads via 26 Exploits, Targets Oracle, VMware Apps

[steven36]

A relatively new botnet called Echobot has grown to 26 the number of exploits it uses to propagate. Most of the exploitation code it includes is for unpatched IoT devices, but enterprise apps Oracle WebLogic and VMware SD-Wan are among the targets, too.

 

 

 

Echobot is based on Mirai malware, like hundreds of other botnets that emerged once the source code became publicly available. It was first disclosed (https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/) earlier this month by researchers at Palo Alto Networks, who found it contained 18 exploits at the time.

IoT devices are the main targets

Larry Cashdollar of Akamai's Security Intelligence Response Team (SIRT) observed a new version of the Echobot botnet, which adds a host of eight new exploits to help it propagate.

 

"I counted 26 different exploits that were being used in the spread of this botnet. Most were well-known command execution vulnerabilities in various networked devices," says Cashdollar.

 

 

The targets of the latest Echobot variant include network-attached storage devices (NAS), routers, network video recorders (NVR), IP cameras, IP phones, and wireless presentation systems.

Decades-old bugs exploited

Cashdollar had trouble determining the vulnerabilities leveraged by the botnet because some of them had public advisories but no tracking number was assigned to them.

 

He fixed the problem by contacting MITRE and having it allocate identification numbers to the infection vectors he found lacking a CVE.

 

This effort is helpful not just for his research but also for other professionals that find vulnerabilities exploited in the wild as CVE numbers are a standard classification used by infosec community.

 

Cashdollar also compiled a list with the bugs leveraged by the new Echobot variant:

 

 

An interesting aspect the researcher noted is that the botnet author(s) expanded the list of targets beyond the IoT landscape and added exploits for Oracle WebLogic Server and for networking software VMware SD-WAN, which is used to provide access cloud services, private data centers, and SaaS-based enterprise applications.

 

Decade-old vulnerabilities are also present on the list, showing that malware authors do not care about the age of a flaw as long as there is an attractive number of unpatched devices.

 

This shows that many vulnerable systems are still in use and chances are they will remain so until they are disconnected for good.

 

Cashdollar's research revealed that Echobot uses the same attack code derived from Mirai and the only difference seems to be the exploits that help it spread.

 

He found that the command and control servers are set for the domains akumaiotsolutions[.]pw and akuma[.]pw, although they do not resolve to an IP address.

 

Source