A new Mirai-based botnet is causing internet backbone provider Akamai to sound the alarm.
Known as Aquabotv3, the malware exploits a vulnerability in a series of Mitel internet-connected phones. The aim of the threat actors, according to Akamai researchers Larry Cashdollar and Kyle Lefton, is to create a platform for denial-of-service attacks.
“Aquabot is a botnet that was built off the Mirai framework with the ultimate goal of distributed denial of service,” the pair explained.
“Its name is derived from the filename present in the analysis: ‘Aqua.’ It has been known since November 2023 and first reported on by Antiy Labs.”
The vulnerability being targeted, CVE-2024-41710, is a command injection flaw resulting from improper sanitization of POST requests by the Mitel firmware. In short, an attacker can send the device a specially crafted HTML request and execute commands they would otherwise not be allowed to execute, such as downloading and executing a botnet client.
While the idea of taking over a phone doesn’t seem like a particularly serious security risk, it results in a massive collection of internet devices capable of sending network requests to a specific target, AKA a DDoS cannon, when performed at scale. In this case the threat is not to the device owners themselves, but rather other organizations who would face bombardment.
The Akamai researchers noted that while CVE-2024-4170 is not a zero-day vulnerability, this is the first time it has been found to be actively targeted in the wild. Additionally, because few organizations actually bother to update the firmware for desk phones it will likely be easy prey for the foreseeable future.
As for the malware itself, the researchers noted that this third iteration of the Aquabot malware displays some innovative new behavior.
Infected devices are now being structured to actively monitor their incoming requests and report activity. Specifically, when receiving a kill connection command, the malware will use a “report_kill” function to feed details back to the controlling server.
“We haven’t seen this behavior before in a Mirai variant so perhaps it may become a new feature,” the Akamai duo explained in their report.
“Although the true reason for this behavior has not been confirmed, this communication to the C2 could be a way for the botnet author to actively monitor the botnet’s health.” Administrators are being advised to upgrade their Mitel device firmware to the latest applicable version.
