Mirai botnets have played a major role in DDoS attacks worldwide specifically against IoT devices and servers. Mirai was discovered in August 2016 and has made it to the headlines several times due to its potential denial of service attacks and massive network.
Mirai botnets had thousands of compromised devices on their network and targeted consumer devices such as IP cameras and home routers by exploiting weak default passwords and known vulnerabilities. Several other variants had similar source codes to the Mirai botnet.
However, a new vulnerability has been discovered in Mirai botnet’s Command and Control server that allows a threat actor to perform a denial of service attack.
DoS Attack against a DDoS Server
Botnet’s core infrastructure depends entirely upon the C2 servers, where thousands of compromised zombie computers can be controlled. The vulnerability discovered by a researcher named “Jacob Masse” states that this denial-of-service attack exists due to improper session management on the CNC server.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
Further, the researcher also stated that no authentication is required for launching this attack, which can easily be exploited. This attack scenario can also be used by law enforcement or security researchers to render the CNC servers inoperable, which could result in dismantling the botnet.
Exploiting this vulnerability involves overwhelming the server’s session buffer, which is not properly handled when multiple simultaneous connections are made. Additionally, this attack exists during the pre-authenticated phase, where multiple simultaneous connection attempts after an authentication attempt has opened are not properly handled.
In this case, a threat actor can open multiple connections on the CNC server by sending authentication requests with a root username. The server fails to manage these connection attempts which results in resource exhaustion and server crash.
Impacts of Exploitation
If this vulnerability is exploited, the attacker can disrupt the botnet activities that will subsequently neutralize the threat associated with the botnet. On the dark side, organizations that deploy a botnet environment for the purpose of stress testing the network can also be exploited with this vulnerability potentially leading to data corruption and disruption of operations.
Furthermore, the researcher published a proof-of-concept video. The POC video involves the use of server 1 CPU core, 1 GB of RAM and 25 GB of Storage that targeted a Demo Mirai botnet environment. The proof of concept code can be found in this link.
“The demonstrated exploit’s success proved that it took the CNC offline and showed that you do not need a large server to run it,” Jacob Masse added.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial