Mirai Botnet Exploits Newly Disclosed Security Flaw in Four-Faith Industrial Routers
A Growing Threat
A Mirai botnet variant has been found exploiting a newly disclosed security flaw impacting Four-Faith industrial routers since early November 2024 with the goal of conducting distributed denial-of-service (DDoS) attacks.
The Scope of the Threat
The botnet maintains approximately 15,000 daily active IP addresses, with the infections primarily scattered across China, Iran, Russia, Turkey, and the United States.
Exploiting Multiple Security Flaws
Exploiting an arsenal of over 20 known security vulnerabilities and weak Telnet credentials for initial access, the malware is known to have been active since February 2024. The botnet has been dubbed "gayfemboy" in reference to the offensive term present in the source code.
Zero-Day Vulnerability
QiAnXin XLab observed the malware leveraging a zero-day vulnerability in industrial routers manufactured by China-based Four-Faith to deliver the artifacts as early as November 9, 2024.
Gartner Endpoint Protection
The disclosure comes weeks after Juniper Networks warned that Session Smart Router (SSR) products with default passwords are being targeted by malicious actors to drop the Mirai botnet malware. Akamai has also revealed Mirai malware infections that weaponize a remote code execution flaw in DigiEver DVRs.
The Impact of DDoS Attacks
DDoS attacks leveraging the botnet have targeted hundreds of different entities on a daily basis, with the activity scaling a new peak in October and November 2024. The attacks, while lasting between 10 and 30 seconds, generate traffic around 100 Gbps.
The Threat Landscape
"DDoS has become one of the most common and destructive forms of cyber attacks," XLab researchers said. "Its attack modes are diverse, attack paths are highly concealed, and it can employ continuously evolving strategies and techniques to conduct precise strikes against various industries and systems, posing a significant threat to enterprises, government organizations, and individual users."
Susceptible Servers
The development also comes as threat actors are leveraging susceptible and misconfigured PHP servers (e.g., CVE-2024-4577) to deploy a cryptocurrency miner called PacketCrypt.
Stay Informed
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
