According to security analysis, the Gayfemboy botnet, based on the notorious Mirai malware, is currently spreading around the world. Researchers from Chainxin X Lab found that cybercriminals have been using the botnet since November 2024 to attack previously unknown vulnerabilities. The botnet’s preferred targets include Four-Faith and Neterbit routers or smart home devices.Experts from VulnCheck reported at the end of December that a vulnerability in Four-Faith industrial routers (CVE-2024-12856) had been exploited in the wild. The attackers exploited the router’s default credentials to launch a remote command injection.In addition, the botnet was used for targeted attacks on unknown vulnerabilities in Neterbit routers and Vimar smart home devices. According to Chainxin X Lab, Gayfemboy has exploited over 20 vulnerabilities and weak Telnet credentials to access the devices. It includes a brute-force module for insecure Telnet passwords, uses custom UPX packing with unique signatures, and implements Mirai-based command structures. This allows the attackers to update clients, scan networks, and carry out DDoS attacks.According to researchers, the botnet has been attacking hundreds of targets every day since its discovery in February 2024. The number of daily active bot IPs is 15,000, most of which are located in China, the US, Russia, Turkey, and Iran. Targets are spread across the world and affect various industries, with the main targets being located in China, the US, Germany, the UK, and Singapore.According to Chainxin X Lab, the botnet’s DDoS attacks are short-lived (between 10 and 30 seconds), but are high in intensity, with data rates exceeding 100Gbps and capable of disrupting even robust infrastructures. According to the analysis, the botnet’s attacks target the following devices:
- ASUS routers (via N-day exploits)Huawei routers (via CVE-2017-17215)Neterbit router (custom exploit)LB-Link router (via CVE-2023-26801)Four-Faith Industrial Routers (via the zero-day now tracked as CVE-2024-12856)PZT cameras (via CVE-2024-8956 and CVE-2024-8957)Kguard DVRLilin DVR (via remote code execution exploits)Generic DVRs (using exploits like TVT editBlackAndWhiteList RCE)Vimar smart home devices (presumably exploiting an unknown vulnerability)Various 5G/LTE devices (likely due to misconfigurations or weak credentials)
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3716843/new-mirai-botnet-targets-industrial-routers.html
