Mirai Botnet Targets Four-Faith Routers for DDoS Attacks
New Variant of Mirai Botnet Exploits Security Flaw in Four-Faith Industrial Routers
A newly identified variant of the Mirai botnet is exploiting a recently uncovered security flaw in Four-Faith industrial routers. Since early November 2024, this botnet has been involved in orchestrating distributed denial-of-service (DDoS) attacks, raising concerns among cybersecurity experts. With an estimated 15,000 active IP addresses daily, this botnet’s infections are primarily concentrated in countries such as China, Iran, Russia, Turkey, and the United States.
Understanding the Mirai Botnet’s Threat
The Mirai botnet variant, referred to as "gayfemboy," has been active since February 2024. It takes advantage of over 20 known security vulnerabilities along with weak Telnet credentials to gain initial access to devices. According to QiAnXin XLab, the malware is specifically leveraging a critical zero-day vulnerability, CVE-2024-12856, affecting Four-Faith router models F3x24 and F3x36. This vulnerability has a CVSS score of 7.2 and allows for OS command injection by exploiting default credentials that have not been changed.
Key Vulnerabilities Exploited by the Botnet
The botnet employs a range of vulnerabilities to enhance its reach and effectiveness, including:
- CVE-2013-3307
- CVE-2013-7471
- CVE-2014-8361
- CVE-2016-20016
- CVE-2017-17215
- CVE-2017-5259
- CVE-2020-25499
- CVE-2020-9054
- CVE-2021-35394
- CVE-2023-26801
- CVE-2024-8956
- CVE-2024-8957
Once activated, the malware conceals its malicious processes and utilizes a Mirai-based command format to scan for additional vulnerable devices. It also updates itself and launches DDoS attacks against selected targets, with recent activity peaking in October and November 2024. These attacks can generate traffic of around 100 Gbps and typically last between 10 and 30 seconds.
Recent Warnings and Broader Implications
This alarming news follows recent advisories from Juniper Networks, which highlighted that their Session Smart Router (SSR) products with unchanged default passwords are being targeted for Mirai botnet infections. Akamai also reported instances of Mirai malware exploiting a remote code execution vulnerability in DigiEver DVRs.
"DDoS attacks are among the most prevalent and devastating forms of cyber threats," state researchers from XLab. "The methods used are diverse and often concealed, continually evolving to execute sophisticated strikes against various sectors, posing a serious risk to enterprises, government entities, and individual users."
As cybercriminals increasingly target vulnerable and misconfigured systems—such as through exploiting CVE-2024-4577 to deploy cryptocurrency miners like PacketCrypt—the need for robust cybersecurity measures has never been more critical.
Stay Informed on Cybersecurity Threats
If you found this article insightful, we invite you to follow us on Twitter and LinkedIn for more exclusive updates and information on cybersecurity threats and solutions. Share your thoughts and experiences with us in the comments below!