15 June 21, 11:56
Quote:A variant of the Mirai botnet called Moobot saw a big spike in activity recently, with researchers picking up widespread scanning in their telemetry for a known vulnerability in Tenda routers. It turns out that it was being pushed out from a new cyber-underground malware domain, known as Cyberium, which has been anchoring a large amount of Mirai-variant activity.
According to AT&T Alien Labs, the scanning for vulnerable Tenda routers piqued researcher interest given that such activity is typically rare. The targeted bug is a remote code-execution (RCE) issue (CVE-2020-10987).
“This spike was observed throughout a significant number of clients, in the space of a few hours,” according to an AT&T analysis, released Monday. “This vulnerability is not commonly used by web scanners and was barely detected by our honeypots during the last six months, except for a minor peak in November.”
Following the breadcrumbs of the activity, researchers tracked down the infrastructure behind the Tenda scans in late March – discovering that it was being used to scan for additional bugs, in the Axis SSI, Huawei home routers (CVE-2017-17215) and the Realtek SDK Miniigd (CVE-2014-8361). It was also deploying a DVR scanner that tried default credentials for the Sofia video application. These compromise efforts were tied to a variety of different Mirai-based botnet infections, including the Satori botnet.
Read more: Moobot Milks Tenda Router Bugs for Propagation | Threatpost