New Aquabotv3 botnet malware targets Mitel command injection flaw

New Aquabotv3 botnet malware targets Mitel command injection flaw

A new variant of the Mirai-based botnet malware Aquabot has been observed actively exploiting CVE-2024-41710, a command injection vulnerability in Mitel SIP phones.

The activity was discovered by Akamai’s Security Intelligence and Response Team (SIRT), who reports that this is the third variant of Aquabot that falls under their radar.

The malware family was introduced in 2023, and a second version that added persistence mechanisms was released later. The third variant, ‘Aquabotv3,’ introduced a system that detects termination signals and sends the info to the command-and-control (C2) server.

Akamai comments that Aquabotv3’s mechanism to report back kill attempts is unusual for botnets and may have been added to give its operators better monitoring.

Reporting process kill attempts to the C2
Reporting process kill attempts to the C2
Source: Akamai

Targeting Mitel phones

CVE-2024-41710 is a command injection flaw impacting Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, typically used in corporate offices, enterprises, government agencies, hospitals, educational institutes, hotels, and financial institutions.

It is a medium-severity flaw that allows an authenticated attacker with admin privileges to conduct an argument injection attack due to insufficient parameter sanitization during the boot process, resulting in arbitrary command execution.

Mitel released fixes and a security advisory about this flaw on July 17, 2024, urging users to upgrade. Two weeks later, security researcher Kyle Burns published a proof-of-concept (PoC) on GitHub.

Aquabotv3’s use of this PoC to exploit CVE-2024-41710 in attacks is the first documented case of leveraging this vulnerability.

“Akamai SIRT detected exploit attempts targeting this vulnerability through our global network of honeypots in early January 2025 using a payload almost identical to the PoC,” explains the researchers.

The fact that the attacks require authentication indicates that the malware botnet uses brute-forcing to gain initial access.

The attackers craft an HTTP POST request targeting the vulnerable endpoint 8021xsupport.html, responsible for 802.1x authentication settings in Mitel SIP phones.

The application improperly processes user input, allowing malformed data to be inserted into the phone’s local configuration (/nvdata/etc/local.cfg).

Via the injection of line-ending characters (%dt → %0d), attackers achieve manipulation of how the configuration file is parsed during device boot to execute a remote shell script (bin.sh) from their server.

This script downloads and installs an Aquabot payload for the defined architecture (x86, ARM, MIPS, etc), sets its execution permissions using ‘chmod 777,’ and then cleans up any traces.

Aquabotv3 activity

Once persistence is ensured, Aquabotv3 connects to its C2 via TCP to receive instructions, attack commands, updates, or additional payloads.

Next, it attempts to spread to other IoT devices using the Mitel exploit, CVE-2018-17532 (TP-Link), CVE-2023-26801 (IoT firmware RCE), CVE-2022-31137 (Web App RCE), Linksys E-series RCE, Hadoop YARN, and CVE-2018-10562 / CVE-2018-10561 (Dasan router bugs).

The malware also attempts to brute force default or weak SSH/Telnet credentials to spread to poorly secured devices on the same network.

The goal of Aquabotv3 is to enlist devices on its distribution denial of service (DDoS) swarm and use them to carry out TCP SYN, TCP ACK, UDP, GRE IP, and application-layer attacks.

The botnet’s operator advertises its DDoS capabilities on Telegram under the names Cursinq Firewall, The Eye Services, and The Eye Botnet, presenting it as a testing tool for DDoS mitigation measures.

Akamai has listed the indicators of compromise (IoC) associated with Aquabotv3, as well as Snort and YARA rules for detecting the malware, at the bottom of its report.



Source link