#1 Trusted Cybersecurity News Platform
Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cybersecurity

mirai botnet | Breaking Cybersecurity News | The Hacker News

Category — mirai botnet
New Gorilla Botnet Launches Over 300,000 DDoS Attacks Across 100 Countries

New Gorilla Botnet Launches Over 300,000 DDoS Attacks Across 100 Countries

Oct 07, 2024 IoT Security / Botnet
Cybersecurity researchers have discovered a new botnet malware family called Gorilla (aka GorillaBot) that draws its inspiration from the leaked Mirai botnet source code. Cybersecurity firm NSFOCUS, which identified the activity last month, said the botnet "issued over 300,000 attack commands, with a shocking attack density" between September 4 and September 27, 2024. No less than 20,000 commands designed to mount distributed denial-of-service (DDoS) attacks have been issued from the botnet every day on average. The botnet is said to have targeted more than 100 countries, attacking universities, government websites, telecoms, banks, gaming, and gambling sectors. China, the U.S., Canada, and Germany have emerged as the most attacked countries. The Beijing-headquartered company said Gorilla primarily uses UDP flood , ACK BYPASS flood, Valve Source Engine (VSE) flood , SYN flood , and ACK flood to conduct the DDoS attacks, adding the connectionless nature of the UDP prot
Mirai Botnet Exploits Ivanti Connect Secure Flaws for Malicious Payload Delivery

Mirai Botnet Exploits Ivanti Connect Secure Flaws for Malicious Payload Delivery

May 09, 2024 Network Security / Botnet
Two recently disclosed security flaws in Ivanti Connect Secure (ICS) devices are being exploited to deploy the infamous  Mirai botnet . That's according to  findings  from Juniper Threat Labs, which said the vulnerabilities  CVE-2023-46805 and CVE-2024-21887  have been leveraged to deliver the botnet payload. While CVE-2023-46805 is an authentication bypass flaw, CVE-2024-21887 is a command injection vulnerability, thereby allowing an attacker to chain the two into an exploit chain to execute arbitrary code and take over susceptible instances. In the attack chain observed by the network security company, CVE-2023-46805 is exploited to gain access to the "/api/v1/license/key-status/;" endpoint, which is vulnerable to command injection, and inject the payload. As  previously outlined  by Assetnote in their technical deep dive of the CVE-2024-21887, the exploit is triggered by means of a request to "/api/v1/totp/user-backup-code/" to deploy the malware. &quo
The Secret Weakness Execs Are Overlooking: Non-Human Identities

The Secret Weakness Execs Are Overlooking: Non-Human Identities

Oct 03, 2024Enterprise Security / Cloud Security
For years, securing a company's systems was synonymous with securing its "perimeter." There was what was safe "inside" and the unsafe outside world. We built sturdy firewalls and deployed sophisticated detection systems, confident that keeping the barbarians outside the walls kept our data and systems safe. The problem is that we no longer operate within the confines of physical on-prem installations and controlled networks. Data and applications now reside in distributed cloud environments and data centers, accessed by users and devices connecting from anywhere on the planet. The walls have crumbled, and the perimeter has dissolved, opening the door to a new battlefield: identity . Identity is at the center of what the industry has praised as the new gold standard of enterprise security: "zero trust." In this paradigm, explicit trust becomes mandatory for any interactions between systems, and no implicit trust shall subsist. Every access request, regardless of its origin,
New Findings Challenge Attribution in Denmark's Energy Sector Cyberattacks

New Findings Challenge Attribution in Denmark's Energy Sector Cyberattacks

Jan 14, 2024 Cyber Attack / Vulnerability
The cyber attacks targeting the energy sector in Denmark last year may not have had the involvement of the Russia-linked Sandworm hacking group,  new findings  from Forescout show. The intrusions, which  targeted around 22 Danish energy organizations  in May 2023, occurred in two distinct waves, one which exploited a security flaw in Zyxel firewall (CVE-2023-28771) and a follow-on activity cluster that saw the attackers deploy Mirai botnet variants on infected hosts via an as-yet-unknown initial access vector. The first wave took place on May 11, while the second wave lasted from May 22 to 31, 2023. In one such attack detected on May 24, it was observed that the compromised system was communicating with IP addresses (217.57.80[.]18 and 70.62.153[.]174) that were previously used as command-and-control (C2) for the now-dismantled  Cyclops Blink  botnet. Forescout's closer examination of the attack campaign, however, has revealed that not only were the two waves unrelated, but also
cyber security

The State of SaaS Security 2024 Report

websiteAppOmniSaaS Security / Data Security
Learn the latest SaaS security trends and discover how to boost your cyber resilience. Get your free…
NoaBot: Latest Mirai-Based Botnet Targeting SSH Servers for Crypto Mining

NoaBot: Latest Mirai-Based Botnet Targeting SSH Servers for Crypto Mining

Jan 10, 2024 Server Security / Cryptocurrency
A new Mirai-based botnet called  NoaBot  is being used by threat actors as part of a crypto mining campaign since the beginning of 2023. "The capabilities of the new botnet, NoaBot, include a wormable self-spreader and an SSH key backdoor to download and execute additional binaries or spread itself to new victims," Akamai security researcher Stiv Kupchik said in a report shared with The Hacker News. Mirai , which had its source code leaked in 2016, has been the progenitor of a number of botnets, the most recent being  InfectedSlurs , which is capable of mounting distributed denial-of-service (DDoS) attacks. There are indications that NoaBot could be linked to another botnet campaign involving a Rust-based malware family known as  P2PInfect , which recently received an update to target routers and IoT devices. This is based on the fact that threat actors have also experimented with dropping P2PInfect in place of NoaBot in recent attacks targeting SSH servers, indicating likely at
Mirai Botnet Variant 'Pandora' Hijacks Android TVs for Cyberattacks

Mirai Botnet Variant 'Pandora' Hijacks Android TVs for Cyberattacks

Sep 07, 2023 Botnet / Cyber Threat
A  Mirai botnet  variant called  Pandora  has been observed infiltrating inexpensive Android-based TV sets and TV boxes and using them as part of a botnet to perform distributed denial-of-service (DDoS) attacks. Doctor Web said the compromises are likely to occur either during malicious firmware updates or when applications for viewing pirated video content are installed. "It is likely that this update has been made available for download from a number of websites, as it is signed with publicly available Android Open Source Project test keys," the Russian company  said  in an analysis published Wednesday. "The service that runs the backdoor is included in boot.img," enabling it to persist between system restarts. In the alternative distribution methods, it's suspected that users are tricked into installing applications for streaming pirated movies and TV shows through websites that mainly single out Spanish-speaking users. The list of apps is as follows -
New Mirai Botnet Variant 'V3G4' Exploiting 13 Flaws to Target Linux and IoT Devices

New Mirai Botnet Variant 'V3G4' Exploiting 13 Flaws to Target Linux and IoT Devices

Feb 17, 2023 IoT Security / Cyber Attack
A new variant of the notorious Mirai botnet has been found leveraging several security vulnerabilities to propagate itself to Linux and IoT devices. Observed during the second half of 2022, the new version has been dubbed  V3G4  by Palo Alto Networks Unit 42, which identified three different campaigns likely conducted by the same threat actor. "Once the vulnerable devices are compromised, they will be fully controlled by attackers and become a part of the botnet," Unit 42 researchers  said . "The threat actor has the capability to utilize those devices to conduct further attacks, such as distributed denial-of-service (DDoS) attacks." The attacks primarily single out exposed servers and networking devices running Linux, with the adversary weaponizing as many as 13 flaws that could lead to remote code execution (RCE). Some of the notable flaws relate to critical flaws in Atlassian Confluence Server and Data Center, DrayTek Vigor routers, Airspan AirSpot, and Geu
Mirai Botnet Hits Wynncraft Minecraft Server with 2.5 Tbps DDoS Attack

Mirai Botnet Hits Wynncraft Minecraft Server with 2.5 Tbps DDoS Attack

Oct 14, 2022
Web infrastructure and security company Cloudflare disclosed this week that it halted a 2.5 Tbps distributed denial-of-service (DDoS) attack launched by a Mirai botnet. Characterizing it as a "multi-vector attack consisting of UDP and TCP floods," researcher Omer Yoachimik said the DDoS attack targeted the Minecraft server Wynncraft in Q3 2022. "The entire 2.5 Tbps attack lasted about 2 minutes, and the peak of the 26 million rps attack [was] only 15 seconds," Yoachimik  noted . "This is the largest attack we've ever seen from the bitrate perspective." Cloudflare also pointed to a surge in multi-terabit DDoS attacks as well as longer-lasting volumetric attacks during the time period, not to mention an uptick in attacks targeting Taiwan and Japan. The disclosure comes almost 10 months after Microsoft said it thwarted a  record-breaking 3.47 Tbps DDoS attack  in November 2021 directed against an unnamed Azure customer in Asia. Other  DDoS attacks
Mirai Variant MooBot Botnet Exploiting D-Link Router Vulnerabilities

Mirai Variant MooBot Botnet Exploiting D-Link Router Vulnerabilities

Sep 07, 2022
A variant of the Mirai botnet known as MooBot is co-opting vulnerable D-Link devices into an army of denial-of-service bots by taking advantage of multiple exploits. "If the devices are compromised, they will be fully controlled by attackers, who could utilize those devices to conduct further attacks such as distributed denial-of-service (DDoS) attacks," Palo Alto Networks Unit 42  said  in a Tuesday report. MooBot, first disclosed by Qihoo 360's Netlab team in September 2019, has previously targeted  LILIN digital video recorders  and  Hikvision video surveillance products  to expand its network. In the latest wave of attacks discovered by Unit 42 in early August 2022, as many as four different flaws in D-Link devices, both old and new, have paved the way for the deployment of MooBot samples. These include - CVE-2015-2051  (CVSS score: 10.0) - D-Link HNAP SOAPAction Header Command Execution Vulnerability CVE-2018-6530  (CVSS score: 9.8) - D-Link SOAP Interface Re
'Satori' IoT DDoS Botnet Operator Sentenced to 13 Months in Prison

'Satori' IoT DDoS Botnet Operator Sentenced to 13 Months in Prison

Jun 26, 2020
The United States Department of Justice yesterday sentenced a 22-year-old Washington-based hacker to 13 months in federal prison for his role in creating botnet malware, infecting a large number of systems with it, and then abusing those systems to carry out large scale distributed denial-of-service (DDoS) attacks against various online service and targets. According to court documents, Kenneth Currin Schuchman , a resident of Vancouver, and his criminal associates–Aaron Sterritt and Logan Shwydiuk–created multiple DDoS botnet malware since at least August 2017 and used them to enslave hundreds of thousands of home routers and other Internet-connected devices worldwide. Dubbed Satori, Okiru, Masuta, and Tsunami or Fbot, all these botnets were the successors of the infamous IoT malware Mirai , as they were created mainly using the source code of Mirai, with some additional features added to make them more sophisticated and effective against evolving targets. Even after the orig
Mukashi: A New Mirai IoT Botnet Variant Targeting Zyxel NAS Devices

Mukashi: A New Mirai IoT Botnet Variant Targeting Zyxel NAS Devices

Mar 21, 2020
A new version of the infamous Mirai botnet is exploiting a recently uncovered critical vulnerability in network-attached storage (NAS) devices in an attempt to remotely infect and control vulnerable machines. Called " Mukashi ," the new variant of the malware employs brute-force attacks using different combinations of default credentials to log into Zyxel NAS, UTM, ATP, and VPN firewall products to take control of the devices and add them to a network of infected bots that can be used to carry out Distributed Denial of Service (DDoS) attacks. Multiple Zyxel NAS products running firmware versions up to 5.21 are vulnerable to the compromise, Palo Alto Networks' Unit 42 global threat intelligence team said, adding they uncovered the first such exploitation of the flaw in the wild on March 12. Zyxel's Pre-Authentication Command Injection Flaw Mukashi hinges on a pre-authentication command injection vulnerability (tracked as CVE-2020-9054 ), for which a proof-
Mirai Variant Adds Dozen New Exploits to Target Enterprise IoT Devices

Mirai Variant Adds Dozen New Exploits to Target Enterprise IoT Devices

Mar 19, 2019
Security researchers have uncovered a new variant of the infamous Mirai Internet of Things botnet , this time targeting embedded devices intended for use within business environments in an attempt to gain control over larger bandwidth to carry out devastating DDoS attacks . Although the original creators of Mirai botnet have already been arrested and jailed , variants of the infamous IoT malware, including Satori and Okiru , keep emerging due to the availability of its source code on the Internet since 2016. First emerged in 2016, Mirai is well known IoT botnet malware that has the ability to infect routers, and security cameras, DVRs, and other smart devices—which typically use default credentials and run outdated versions of Linux—and enslaves the compromised devices to form a botnet, which is then used to conduct DDoS attacks . New Mirai Variant Targets Enterprise IoT Devices Now, Palo Alto Network Unit 42 researchers have spotted the newest variant of Mirai that'
Mirai Botnet Creators Helping FBI Fight Cybercrime to Stay Out of Jail

Mirai Botnet Creators Helping FBI Fight Cybercrime to Stay Out of Jail

Sep 19, 2018
Three young hackers who were sentenced late last year for creating and spreading the notorious Mirai botnet are now helping the FBI to investigate other "complex" cybercrime cases in return to avoid their lengthy prison terms. Paras Jha, 21 from New Jersey, Josiah White, 20 from Washington, and Dalton Norman, 21 from Louisiana, plead guilty in December 2017 to multiple charges for their role in creating and hijacking hundreds of thousands IoT devices to make them part of a notorious botnet network dubbed Mirai . Mirai malware scanned for insecure routers, cameras, DVRs, and other Internet of Things (IoT) devices which were using their default passwords and then made them part of a botnet network . The trio developed the Mirai botnet to attack rival Minecraft video gaming hosts, but after realizing that their invention was powerful enough to launch record-breaking DDoS attacks against targets like OVH hosting website, they released the source code of Mirai . The
5 Powerful Botnets Found Exploiting Unpatched GPON Router Flaws

5 Powerful Botnets Found Exploiting Unpatched GPON Router Flaws

May 10, 2018
Well, that did not take long. Within just 10 days of the disclosure of two critical vulnerabilities in GPON router at least 5 botnet families have been found exploiting the flaws to build an army of million devices. Security researchers from Chinese-based cybersecurity firm Qihoo 360 Netlab have spotted 5 botnet families, including Mettle, Muhstik, Mirai, Hajime, and Satori, making use of the GPON exploit in the wild. As detailed in our previous post, Gigabit-capable Passive Optical Network (GPON) routers manufacturer by South Korea-based DASAN Zhone Solutions have been found vulnerable to an authentication bypass ( CVE-2018-10561 ) and a root-RCE ( CVE-2018-10562 ) flaws that eventually allow remote attackers to take full control of the device. Shortly after the details of the vulnerabilities went public, 360 Netlab researchers warned of threat actors exploiting both the flaws to hijack and add the vulnerable routers into their botnet malware networks. Now, the researche
New Mirai Okiru Botnet targets devices running widely-used ARC Processors

New Mirai Okiru Botnet targets devices running widely-used ARC Processors

Jan 15, 2018
The cybersecurity threat landscape has never been more extensive and is most likely to grow exponentially in 2018. Although the original creators of Mirai DDoS botnet have already been arrested and jailed, the variants of the infamous IoT malware are still in the game due to the availability of its source code on the Internet. Security researchers have spotted a new variant of infamous Mirai IoT malware designed to hijack insecure devices that run on ARC embedded processors. Until now, Mirai and its variants have been targeting CPU architectures— including x86, ARM, Sparc, MIPS, PowerPC and Motorola 6800 —deployed in millions of Internet of Things (IoT) devices. Dubbed Okiru , the new Mirai variant, first spotted by @unixfreaxjp from MalwareMustDie team and notified by independent researcher Odisseus , is a new piece of ELF malware that targets ARC-based embedded devices running Linux operating system. " This is the FIRST TIME ever in the history of computer eng
Satori IoT Botnet Exploits Zero-Day to Zombify Huawei Routers

Satori IoT Botnet Exploits Zero-Day to Zombify Huawei Routers

Dec 23, 2017
Although the original creators of the infamous IoT malware Mirai have already been arrested and sent to jail, the variants of the notorious botnet are still in the game due to the availability of its source code on the Internet. Hackers have widely used the infamous IoT malware to quietly amass an army of unsecured internet-of-things devices , including home and office routers, that could be used at any time by hackers to launch Internet-paralyzing DDoS attacks . Another variant of Mirai has hit once again, propagating rapidly by exploiting a zero-day vulnerability in a Huawei home router model. Dubbed Satori (also known as Okiru), the Mirai variant has been targeting Huawei's router model HG532, as Check Point security researchers said they tracked hundreds of thousands of attempts to exploit a vulnerability in the router model in the wild. Identified initially by Check Point researchers late November, Satori was found infecting more than 200,000 IP addresses in just
Three Hackers Plead Guilty to Creating IoT-based Mirai DDoS Botnet

Three Hackers Plead Guilty to Creating IoT-based Mirai DDoS Botnet

Dec 13, 2017
The U.S. federal officials have arrested three hackers who have pleaded guilty to computer-crimes charges for creating and distributing Mirai botnet that crippled some of the world's biggest and most popular websites by launching the massive DDoS attacks last year. According to the federal court documents unsealed Tuesday, Paras Jha (21-year-old from New Jersey), Josiah White (20-year-old Washington) and Dalton Norman (21-year-old from Louisiana) were indicted by an Alaska court last week on multiple charges for their role in massive cyber attacks conducted using Mirai botnet. Mirai is a piece of nasty IoT malware that scans for insecure routers, cameras, DVRs, and other Internet of Things devices which are still using their default passwords and then add them into a botnet network, which is then used to launch DDoS attacks on websites and Internet infrastructure. According to his plea agreement, Jha " conspired to conduct DDoS attacks against websites and web ho
New Mirai Botnet Variant Found Targeting ZyXEL Devices In Argentina

New Mirai Botnet Variant Found Targeting ZyXEL Devices In Argentina

Nov 28, 2017
While tracking botnet activity on their honeypot traffic, security researchers at Chinese IT security firm Qihoo 360 Netlab discovered a new variant of Mirai —the well known IoT botnet malware that wreaked havoc last year. Last week, researchers noticed an increase in traffic scanning ports 2323 and 23 from hundreds of thousands of unique IP addresses from Argentina in less than a day. The targeted port scans are actively looking for vulnerable internet-connected devices manufactured by ZyXEL Communications using two default telnet credential combinations— admin/CentryL1nk and admin/QwestM0dem —to gain root privileges on the targeted devices. Researchers believe (instead "quite confident") this ongoing campaign is part of a new Mirai variant that has been upgraded to exploit a newly released vulnerability (identified as CVE-2016-10401 ) in ZyXEL PK5001Z modems. "ZyXEL PK5001Z devices have zyad5001 as the su (superuser) password, which makes it easier for rem
New Rapidly-Growing IoT Botnet Threatens to Take Down the Internet

New Rapidly-Growing IoT Botnet Threatens to Take Down the Internet

Oct 21, 2017
Just a year after Mirai —biggest IoT-based malware that caused vast Internet outages by launching massive DDoS attacks—completed its first anniversary, security researchers are now warning of a brand new rapidly growing IoT botnet. Dubbed ' IoT_reaper ,' first spotted in September by researchers at firm Qihoo 360, the new malware no longer depends on cracking weak passwords; instead, it exploits vulnerabilities in various IoT devices and enslaves them into a botnet network. IoT_reaper malware currently includes exploits for nine previously disclosed vulnerabilities in IoT devices from following manufactures: Dlink (routers) Netgear (routers) Linksys (routers) Goahead (cameras) JAWS (cameras) AVTECH (cameras) Vacron (NVR) Researchers believe IoT_reaper malware has already infected nearly two million devices and growing continuously at an extraordinary rate of 10,000 new devices per day. This is extremely worrying because it took only 100,000 infected devices
British Hacker Admits Using Mirai Botnet to DDoS Deutsche Telekom

British Hacker Admits Using Mirai Botnet to DDoS Deutsche Telekom

Jul 25, 2017
An unnamed 29-year-old man, named by authorities as "Daniel K.," pleaded guilty in a German court on Friday to charges related to the hijacking of more than one Million Deutsche Telekom routers . According to reports in the German press , the British man, who was using online monikers "Peter Parker" and "Spiderman," linked to domains used to launch cyber attacks powered by the notorious Mirai malware has been pleaded guilty to " attempted computer sabotage ." The suspect was arrested on 22nd February this year at Luton airport in London by Britain's National Crime Agency (NCA) at the request of the Federal Criminal Police Office of Germany, aka the Bundeskriminalamt (BKA). The hacker, also known as 'BestBuy,' admitted to the court on Friday that he was behind the cyber attack that knocked more than 1.25 Million customers of German telecommunications provider Deutsche Telekom offline last November. According to the German aut
Expert Insights / Articles Videos
Cybersecurity Resources