Full Report
A Mirai botnet variant has been found exploiting a newly disclosed security flaw impacting Four-Faith industrial routers since early November 2024 with the goal of conducting distributed denial-of-service (DDoS) attacks. The botnet maintains approximately 15,000 daily active IP addresses, with the infections primarily scattered across China, Iran, Russia, Turkey, and the United States.
Analysis Summary
# Incident Report: Mirai Botnet Exploits Four-Faith Routers for DDoS
## Executive Summary
A specific variant of the notorious Mirai botnet, dubbed "gayfemboy," has been actively exploiting a zero-day vulnerability (CVE-2024-12856) in Four-Faith industrial routers since at least November 2024 to recruit devices into its network and launch large-scale Distributed Denial-of-Service (DDoS) attacks. The campaign maintains approximately 15,000 active IP addresses globally, peaking in DDoS traffic volumes around 100 Gbps. Incident response focuses primarily on identifying compromised devices, analyzing the exploitation chain, and understanding the broader use of known vulnerabilities for malware propagation.
## Incident Details
- Discovery Date: Early November 2024 (When zero-day exploitation was first observed by researchers)
- Incident Date: Active since February 2024 (Malware existence); Specific zero-day exploitation started around November 9, 2024.
- Affected Organization: Four-Faith industrial router owners (Models F3x24 and F3x36 owners are specifically mentioned via vulnerability).
- Sector: Primarily targeting devices in the Industrial/IoT sector, but the botnet itself is distributed globally.
- Geography: Infections primarily spread across China, Iran, Russia, Turkey, and the United States.
## Timeline of Events
### Initial Access
- Date/Time: Observed leveraging CVE-2024-12856 starting around November 9, 2024.
- Vector: Exploitation of the **CVE-2024-12856** (OS Command Injection) in Four-Faith routers, possibly coupled with leveraging unchanged default Telnet credentials.
- Details: The flaw allows remote attackers to execute OS commands, facilitating the delivery of botnet artifacts. The malware leverages an arsenal of over 20 known vulnerabilities in addition to this zero-day.
### Lateral Movement
- Details: Once established, the malware uses a Mirai-based command structure to scan the internet for additional vulnerable devices matching a signature profile.
### Data Exfiltration/Impact
- Impact: The primary impact observed is the forced participation in large-scale DDoS attacks, generating traffic up to 100 Gbps against hundreds of daily entities, with attack duration typically lasting 10 to 30 seconds.
### Detection & Response
- Detection: Researchers (QiAnXin XLab) observed the malware leveraging the Four-Faith zero-day starting November 9, 2024.
- Response Actions: The identification and public disclosure of the new zero-day exploitation (CVE-2024-12856) and the associated botnet activity served as the primary initial response mechanism to warn affected users.
## Attack Methodology
- Initial Access: Exploiting CVE-2024-12856 (Command Injection) on Four-Faith routers; also using over 20 older known IoT vulnerabilities and weak Telnet credentials.
- Persistence: Implements standard Mirai techniques to maintain access.
- Privilege Escalation: Not explicitly detailed, but typically achieved implicitly via successful exploitation of the command injection flaw on IoT devices often running as root.
- Defense Evasion: Malware attempts to hide malicious processes.
- Credential Access: Exploitation of known weak/default Telnet credentials.
- Discovery: Scans the network for additional vulnerable devices using a Mirai-based scanning mechanism.
- Lateral Movement: Scanning and exploiting known vulnerabilities on other reachable devices.
- Collection: Limited information on deep collection, but the focus is on gathering resources for attack amplification.
- Exfiltration: Not the primary goal; the goal is network disruption via DDoS.
- Impact: Launching high-volume DDoS attacks (up to 100 Gbps).
## Impact Assessment
- Financial: Not explicitly quantified, but costs associated with mitigating 100 Gbps DDoS attacks would be substantial for targeted entities.
- Data Breach: No evidence of large-scale data exfiltration reported; the focus is on destructive/disruptive activity.
- Operational: Targeted entities experience service disruptions from daily DDoS attacks.
- Reputational: Potential reputational damage to Four-Faith due to unpatched vulnerabilities in their industrial hardware.
## Indicators of Compromise
- Network Indicators: Traffic signatures related to known Mirai C2 communication patterns (specific C2 domains/IPs are usually present but omitted here due to defanging requirement).
- File Indicators: Mirai-based payload artifacts dropped onto the compromised Linux-based IoT devices.
- Behavioral Indicators: Devices engaging in high-volume outbound TCP/UDP traffic bursts consistent with volumetric DDoS attacks; attempts to hide processes; ongoing internal scanning behavior.
## Response Actions
- Containment Measures: Identifying and isolating or patching exploited Four-Faith routers (Models F3x24/F3x36) running vulnerable firmware.
- Eradication Steps: Removing the Mirai variant artifacts and terminating malicious processes on compromised devices.
- Recovery Actions: Restoring normal network operations for targeted DDoS victims.
## Lessons Learned
- New Mirai variants continue to rapidly incorporate newly disclosed zero-days (like CVE-2024-12856) into their exploitation arsenal almost immediately upon disclosure or discovery.
- The reliance on unchanged default credentials in industrial hardware remains a critical failure point, even when paired with complex vulnerabilities.
- The longevity of vulnerability exploitation (active since February 2024) before wide-scale discovery highlights the challenge in securing legacy or remote IoT infrastructure.
## Recommendations
- **Patch Management:** Manufacturers (Four-Faith) must prioritize releasing patches for CVE-2024-12856 and other exposed vulnerabilities promptly.
- **Security Hardening:** Users of industrial routers must immediately change all default Telnet credentials and disable unnecessary services.
- **Network Segmentation:** Isolate IoT/Industrial control systems networks from core business networks to limit potential lateral movement originating from a compromised edge device.
- **Monitoring:** Implement enhanced network traffic monitoring capable of detecting established Mirai command-and-control communication protocols and high-volume outbound attack traffic originating from internal hosts.