Version of Mirai botnet exploits vulnerability in Mitel SIP Phones
Take action: If you are using Mitel SIP phones, plan a regular patch cycle. Botnets are using them as compnents of a profitable DDoS for sale service. It's worth to secure your devices and not allow criminals to profit off you.
Learn More
A new variant of the Mirai-based botnet malware, Aquabotv3, has been discovered actively exploiting vulnerabilities in Mitel SIP phones.
The main goal of Aquabotv3 is to build a DDoS attack network. The botnet is capable of launching various types of attacks, including TCP SYN, TCP ACK, UDP, GRE IP, and application-layer attacks. The operators market these DDoS capabilities on Telegram under multiple names: Cursinq Firewall, The Eye Services, and The Eye Botnet, positioning it as a tool for testing DDoS mitigation systems.
The current version, Aquabotv3, implements an unusual feature for botnets - a system that detects and reports termination signals back to its command-and-control (C2) server, enabling better monitoring for operators.
It exploits CVE-2024-41710 (CVSS score 6.8): A command injection vulnerability affecting Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones. The flaw allows authenticated attackers with admin privileges to perform argument injection attacks during the boot process, leading to arbitrary command execution.
The attack process begins with brute-force attempts to gain initial authentication. Once authenticated, the attackers target the vulnerable endpoint '8021xsupport.html' with crafted HTTP POST requests. The vulnerability stems from improper input processing, allowing attackers to manipulate the phone's local configuration file (/nvdata/etc/local.cfg). Through the injection of line-ending characters, attackers can execute remote shell scripts during device boot.
The malware attempts to spread through multiple vectors:
- Exploitation of the Mitel vulnerability
- Targeting other known vulnerabilities:
- CVE-2018-17532 (TP-Link)
- CVE-2023-26801 (IoT firmware RCE)
- CVE-2022-31137 (Web App RCE)
- Linksys E-series RCE
- Hadoop YARN
- CVE-2018-10562 and CVE-2018-10561 (Dasan router vulnerabilities)
- Brute-forcing SSH/Telnet credentials on networked devices
Mitigation: Mitel released patches and a security advisory on July 17, 2024, urging users to upgrade their systems. Two weeks after the release, a proof-of-concept was published on GitHub which appears to have been utilized in these attacks.
