Researchers has spotted several malware botnets are actively exploiting Cacti and Realtek flaws to distribute ShellBot and Moobot malware in campaigns found between January and March 2023. The vulnerabilities targeted are CVE-2021-35394, a critical remote code execution vulnerability residing in the Realtek Jungle SDK, and CVE-2022-46169 which is a critical injection vulnerability detected in the Cacti fault management monitoring tool.
Moobot, a variant of Mirai, is currently targeting CVE-2021-35394 and CVE-2022-46169 to infect vulnerable hosts, then download a script containing its configuration and establish a connection with the C2 server. Later, the malware continues to send heartbeat messages until an incoming command is recognized to start the attack. New versions of Moobot are capable of scanning and killing processes of other known bots so that they can utilize the maximum hardware power of the infected host to launch DDoS attacks.
ShellBot, discovered in January 2023 and still active, mostly focuses on the Cacti vulnerability. The first variant establishes communication with the C2 and waits for the reception of commands such as ps, nmap, rm, version, down, udp, and back.
The second variant which was found in March 2023, already counts hundreds of victims, and features more extensive commands such as Help, Flooding, IRC, DDoS, Extras DDoS, News, Hacking, and Extras. Also, the malware features an exploit enhancement module that collects news and public advisories from PacketStorm and MilWorm.
To protect from the attacks – below are the recommendations
- Use strong administrator passwords and apply the security updates that fix the mentioned vulnerabilities and follow principle of least privileges
- Older devices should be replaced with a newer one
- Security administrators must ensure all DDoS Managed Rules are set to default settings for optimal DDoS activation.
- Organizations should reroute traffic through different servers and infrastructure in case of an outage and always keep critical assets in high availability.
- All applications, databases, servers, and network devices are periodically hardened and adequately configured and should be updated with latest patches