IoT botnets Mirai and Gafgyt target vulnerabilities in Apache Struts and SonicWall

0
1455
3 min read

Unit 42 of the Palo Alto Networks reported about two new variants of the IoT botnets named Mirai and Gafgyt last week on September 7, 2018. The former IoT botnet targets vulnerabilities in Apache Struts and the latter in older, unsupported versions of SonicWall’s Global Management System (GMS).

Researchers at Palo Alto Networks said, “Unit 42 found the domain that is currently hosting these Mirai samples previously resolved to a different IP address during the month of August. During that time this IP was intermittently hosting samples of Gafgyt that incorporated an exploit against CVE-2018-9866, a SonicWall vulnerability affecting older versions of SonicWall Global Management System (GMS). SonicWall has been notified of this development.”

Mirai variant botnet exploit in Apache Struts

The Mirai botnet exploit targets 16 different vulnerabilities, which includes the Apache Struts arbitrary command execution vulnerability CVE-2017-5638 , via crafted Content-Type, Content-Disposition, or Content-Length HTTP headers.

The same Mirai bug was associated with the massive Equifax data breach in September 2017.


This botnet had previously targeted routers and other IoT based devices which was revealed around end of May 2018. However, in the case of Mirai botnet, this is the first instance where it has targeted a vulnerability in Apache Struts.

This new Mirai variant is also targeting vulnerabilities such as:

  • the Linksys E-series device remote code execution flaw,
  • a D-Link router remote code execution flaw,
  • an OS command injection security flaw affecting Zyxel routers,
  • an unauthenticated command injection flaw affecting AVTECH IP devices and more.

Here’s the complete list of all exploits incorporated in this Mirai variant.

Gafgyt variant exploit in SonicWall GMS

The Gafgyt variant is targeting a security flaw, CVE-2018-9866 discovered in July that affects old, unsupported versions of SonicWall Global Management System (GMS) that is, versions 8.1 and older.

The vulnerability targeted by this exploit is caused by the lack of sanitization of XML-RPC requests to the set_time_config method. There is currently no fix for the flaw except for GMS users to upgrade to version 8.2.

Researchers noted that these samples were first surfaced on August 5, less than a week after the publication of a Metasploit module for this vulnerability. Some of its configured commands include launching the Blacknurse DDoS attack. Unit 42 researchers said, “Blacknurse is a low bandwidth DDoS attack involving ICMP Type 3 Code 3 packets causing high CPU loads first discovered in November 2016. The earliest samples we have seen supporting this DDoS method are from September 2017.”

The researchers also mentioned, “The incorporation of exploits targeting Apache Struts and SonicWall by these IoT/Linux botnets could indicate a larger movement from consumer device targets to enterprise targets. These developments suggest these IoT botnets are increasingly targeting enterprise devices with outdated versions.”

In an email directed to us, SonicWall mentions that “The vulnerability disclosed in this post is not an announcement of a new vulnerability in SonicWall Global Management System (GMS).  The issue referenced only affects an older version of the GMS software (version 8.1) which was replaced by version 8.2 in December 2016. Customers and partners running GMS version 8.2 and above are protected against this vulnerability.  Customers still using GMS version 8.1 should apply a hotfix supplied by SonicWall in August 2018 and plan for an immediate upgrade, as GMS 8.1 went out of support in February 2018.  SonicWall and its threat research team continuously updates its products to provide industry-leading protection against the latest security threats, and it is therefore crucial that customers are using the latest versions of our products. We recommend that customers with older versions of GMS, which are long out of support, should upgrade immediately from www.mysonicwall.com.”

To know more about these IoT botnet attacks in detail, visit Palo Alto Networks Unit 42 blog post.

Read Next

Build botnet detectors using machine learning algorithms in Python [Tutorial]

Cisco and Huawei Routers hacked via backdoor attacks and botnets

How to protect yourself from a botnet attack