April 25, 2024

Researchers has spotted several malware botnets are actively exploiting Cacti and Realtek flaws to distribute ShellBot and Moobot malware in campaigns found between January and March 2023. The vulnerabilities targeted are CVE-2021-35394, a critical remote code execution vulnerability residing in the Realtek Jungle SDK, and CVE-2022-46169 which is a critical injection vulnerability detected in the Cacti fault management monitoring tool.

Moobot, a variant of Mirai, is currently targeting CVE-2021-35394 and CVE-2022-46169 to infect vulnerable hosts, then download a script containing its configuration and establish a connection with the C2 server. Later, the malware continues to send heartbeat messages until an incoming command is recognized to start the attack. New versions of Moobot are capable of scanning and killing processes of other known bots so that they can utilize the maximum hardware power of the infected host to launch DDoS attacks.

Advertisements

ShellBot, discovered in January 2023 and still active, mostly focuses on the Cacti vulnerability. The first variant establishes communication with the C2 and waits for the reception of commands such as ps, nmap, rm, version, down, udp, and back.

The second variant which was found in March 2023, already counts hundreds of victims, and features more extensive commands such as Help, Flooding, IRC, DDoS, Extras DDoS, News, Hacking, and Extras. Also, the malware features an exploit enhancement module that collects news and public advisories from PacketStorm and MilWorm.

To protect from the attacks – below are the recommendations

  • Use strong administrator passwords and apply the security updates that fix the mentioned vulnerabilities and follow principle of least privileges
  • Older devices should be replaced with a newer one
  • Security administrators must ensure all DDoS Managed Rules are set to default settings for optimal DDoS activation.
  • Organizations should reroute traffic through different servers and infrastructure in case of an outage and always keep critical assets in high availability.
  • All applications, databases, servers, and network devices are periodically hardened and adequately configured and should be updated with latest patches
Tags:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may have missed

ArcaneDoor Exploits Cisco ASA and FTD

April 25, 2024

Google Fixes Critical Vulnerability in Chrome -CVE-2024-4058

April 24, 2024

Red Ransomware Victimized Targus

April 23, 2024

Oracle Virtual Box Vulnerability PoC Released – CVE-2024-21111

April 22, 2024

CrushFTP Zeroday Vulnerability Exploited in Wild attack

April 21, 2024

TheCyberThrone Security Week In Review – April 20, 2024

April 21, 2024

Discover more from TheCyberThrone

Subscribe now to keep reading and get access to the full archive.

Continue reading