Full Report
A newly identified Mirai botnet exploits over 20 vulnerabilities, including zero-days, in industrial routers and smart home devices
Analysis Summary
# Vulnerability: New Mirai Botnet Exploiting Zero-Days in Routers and Smart Devices
## CVE Details
- CVE ID: CVE-2024-12856 (For one identified flaw)
- CVSS Score: Not explicitly provided in the text, severity is high due to zero-day nature and botnet incorporation.
- CWE: Not specified (The text implies improper access control or command injection based on the context of router exploitation).
## Affected Systems
- Products: Four-Faith industrial routers, Neterbit routers, Vimar smart home devices.
- Versions: Specific vulnerable versions are not listed, only that they are affected by a zero-day or previously unseen vulnerability.
- Configurations: Devices likely exposed to the network (running vulnerable firmware/software) and potentially susceptible to weak Telnet credentials.
## Vulnerability Description
A new variant of the Mirai botnet, named "gayfemboy" by researchers (Qi'anxin XLab), is actively exploiting multiple vulnerabilities to rapidly expand its network. This botnet leverages at least one confirmed zero-day exploit against Four-Faith industrial routers (CVE-2024-12856), alongside previously unseen zero-day vulnerabilities in Neterbit routers and Vimar smart home devices. The botnet also utilizes n-day vulnerabilities and exploits weak, default Telnet credentials for intrusion.
## Exploitation
- Status: Exploited in the wild (Actively used by the "gayfemboy" botnet since February 2024).
- Complexity: Likely Low to Medium, given the combination of zero-days and reliance on default/weak credentials.
- Attack Vector: Network (Remote exploitation possible via exposed services).
## Impact
- Confidentiality: Potential compromise through device infection and underlying data access.
- Integrity: High potential for modification of device configurations and inclusion in DDoS attacks.
- Availability: High potential for Denial of Service against targeted devices or external networks if recruited into the botnet.
## Remediation
### Patches
- Patches for CVE-2024-12856 must be sourced from the vendor (Four-Faith).
- Patches for the vulnerabilities in Neterbit routers and Vimar smart home devices are **not yet publicly available** as they are currently zero-days or newly discovered.
### Workarounds
1. **Disable Telnet:** Immediately disable or block access to the Telnet service on all affected and peripheral IoT/Industrial devices.
2. **Strong Credentials:** Change all default/weak passwords on all network devices, especially routers. Implement complex, unique passwords.
3. **Network Segmentation:** Isolate industrial and smart home devices from critical internal networks.
4. **Firewall Rules:** Implement strict ingress/egress filtering to limit external access to management interfaces (HTTP/HTTPS/Telnet/SSH) on these devices.
## Detection
- Indicators of Compromise (IoCs): Look for unusual outbound network traffic originating from routers or IoT devices, especially attempting to communicate with known C2 infrastructure (which this article does not list, requiring internal threat intelligence).
- Detection methods and tools: Monitor network flows for devices communicating over unexpected protocols or high-volume external beaconing. Use specific vulnerability scanners to check for the exposure of services targeted by Mirai variants.
## References
- Vendor advisories: None explicitly listed for all vulnerabilities, but consult vendors (Four-Faith, Neterbit, Vimar) for updates regarding CVE-2024-12856 and associated disclosures.
- Relevant links - defanged: infosecurity-magazine dot com/news/mirai-botnet-zerodays-routers/