Mirai and Gafgyt target Apache Struts and SonicWall to hit enterprises

Security experts with Unit 42 at Palo Alto Networks have discovered new variants of the Mirai and Gafgyt IoT malware targeting enterprises.

Both botnets appear very interesting for two main reasons:

  • The new Mirai variant targets the same Apache Struts vulnerability exploited in the 2017 Equifax data breach. The vulnerability affects the Jakarta Multipart parser upload function in Apache and could be exploited by an attacker to make a maliciously crafted request to an Apache web server.
  • The new Gafgyt variant targets a newly disclosed vulnerability affecting older, unsupported versions of SonicWall’s Global Management System (GMS).

The fact that bot malicious codes are targeting Apache Struts and SonicWall could indicate a shift from consumer device targets to enterprise targets.

“These developments suggest these IOT botnets are increasingly targeting enterprise devices with outdated versions.” reads the analysis published by Palo Alto Networks.

“All organizations should ensure they keep not only their systems up-to-date and patched, but also their IoT devices.” 

In September the experts detected Mirai samples that include the exploit code for 16 vulnerabilities, for the first time the malware target vulnerability in Apache Struts.

The samples are hosted on a domain that in August resolved to a different IP address August. In August, the same IP address was intermittently hosting samples of Gafgyt that were including the exploit code to trigger the CVE-2018-9866 flaw affecting older versions of SonicWall Global Management System (GMS).

The same domain has also been found associated with other Mirai activity in the past.

“For part of the month of August 2018, that same domain resolved to a different IP address 185[.]10[.]68[.]127.” continues the analysis. “At that time we found that IP hosting samples of Gafgyt containing an exploit for a recently disclosed SonicWall vulnerability (CVE-2018-9866) affecting older, unsupported versions of SonicWall Global Management System (GMS) (8.1 and older) that is not present in currently supported versions.” 

Experts noticed that the new Mirai samples don’t include the bruteforce functionality differently from other variants, they use l[.]ocalhost[.]host:47883 as C2, and implement the same encryption scheme as Mirai with the key 0xdeadf00d.

The Gafgyt samples first appeared in the wild on August 5, a few days after the publication of a Metasploit module for the SonicWall issue.  The samples borrow the code from Gafgyt rather than Mirai.

“The incorporation of exploits targeting Apache Struts and SonicWall by these IoT/Linux botnets could be an indication of a larger movement from consumer device targets to enterprise targets.” concludes Palo Alto Networks.

Further details, including IoCs, are reported in the analysis published by the experts.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase