A new Mirai variant is rapidly spreading, experts observed around 100K IPs running the scans in the past 60 hours searching for flawed ZyXEL PK5001Z routers.
According to Li Fengpei, a security researcher with Qihoo 360 Netlab, the publication of the proof-of-concept (PoC) exploit code in a public vulnerabilities database is the root cause of the increase of activity associated with the Mirai botnet.
After the publication of the PoC exploit code on October 31, the experts observed scans using it starting on Wednesday, November 22.
“About 60 hours ago, since 2017-11-22 11:00, we noticed big upticks on port 2323 and 23 scan traffic, with almost 100k unique scanner IP came from Argentina. After investigation, we are quite confident to tell this is a new mirai variant.” reads the analysis published by Fengpei.
The PoC triggers the flaw CVE-2016-10401 in old ZyXEL PK5001Z routers that was publicly disclosed in January 2016. ZyXEL PK5001Z routers have a hardcoded super-user password (zyad5001) that could be used to elevate a user’s access to root level. The su password cannot be used to log into the device.
Anyway, attackers have discovered that there’s a large amount of ZyXEL devices are using admin/CentryL1nk and admin/QwestM0dem as default Telnet credentials.
The PoC code recently published first logs into a remote ZyXEL device using one of the two Telnet passwords, and then uses the hardcoded su password to gain root privileges.
Starting on Wednesday, Netlab has detected a spike of scans on ports 23 and 2323 for Telnet authentication the evidence that attackers are using the above PoC to infect exposed device with Mirai.
“The abuse of these two credentials began at around 2017-11-22 11:00, and reached its peak during 2017-11-23 daytime. This is a good time span match with this 2323/23 port scanning on Scanmon.” continues the analysis.
“Quite a lot of IP abusing these two credential also appear in ScanMon radar.
- admin/CentryL1nk : 748 (66.5%) out of 1125
- admin/QwestM0dem : 1175 (69.4%) out of 1694″
Experts from Netlab detected around 100,000 IPs running the scans in the past 60 hours, this means that the new Mirai botnet is already composed of roughly 100,000 devices looking for vulnerable ZyXEL devices.
65,700 of these bots were located in Argentina because the ISP has shipped devices with the default credentials included in the public PoC.
There are no reports that Telefonica users are suffering from Internet connectivity outages, a circumstance that suggests that the owners of infected routers are not aware of the infection.
The security researcher Troy Mursch confirmed that that most of the scanner IP came from Argentina, precisely from the network of local ISP Telefonica de Argentina.
This is an all-time record for the most new unique IP address that I've seen added to the botnet in one day.
— Bad Packets (@bad_packets) November 23, 2017
The good news is that the Mirai bots do not have a persistence mechanism, this means that it could be eradicated when the infected device is rebooted.
This isn’t the first time that the Mirai bornet was used to target the devices belonging to a particular ISP’s network, late 2016 it was used to compromise more than 900,000 routers of the Deutsche Telekom in Germany.