Mozi IoT botnet now targets Netgear, Huawei, and ZTE network gateways

P2p botnet gained new capabilities and now can affect more devices

New evolved peer-to-peer botnet now can affect particularly juicy targets - network gateaways.

Mozi botnet that usually targets IoT devices apparently has evolved and became even more threatening with new functions that allow achieving persistence on network gateways. New findings show that targets of this botnet could be network gateways particularly manufactured by Netgear, Huawei, and ZTE, very well-known names in the industry.

Experts and researchers of Microsoft Security Threat Intelligence Center and at Section 52 at Azure Defender for IoT state ^[1] that network gateways are interesting targets for such attacks due to easy initial access points to corporate networks:

By infecting routers, they can perform man-in-the-middle (MITM) attacks—via HTTP hijacking and DNS spoofing—to compromise endpoints and deploy ransomware or cause safety incidents in OT facilities.

In many instances, Mozi botnet spreads easily because of the weak and default password usage. In certain scenarios, unpatched IoT vulnerabilities could cause potential danger as IoT malware communicates using a BitTorrent-like Distributed Hash Table and records contact information for other nodes in the botnet.

Mozi IoT botnet exploits weak cybersecurity

Microsoft's IoT team of security experts discovered that the malware of Mozi botnet could be upgraded in order to increase its chances of survival upon reboot or any other attempt by other malware or responders to interfere with its operation, including achieving persistence on targeted devices and blocking TCP ports (23, 2323, 7547, 35000, 50023, and 58000).

Mozi has been upgraded to support new commands that enable the malware to hijack HTTP sessions and carry out DNS spoofing too. Users of Netgear, Huawei, and ZTE routers are recommended to secure the devices using strong passwords and update the devices to the latest firmware.

Microsoft experts state that in doing so, users will reduce the risk of possible attack surfaces, leveraged by the botnet and prevent attackers from getting into a position where they can use the newly discovered persistence and other exploit techniques described in more detail below.^[2]

Some experts believe that botnet groups like Mozi will ramp up operations in the future and we will see IoT activity surges. Organizations and people using IoT devices need to be aware of the evolving threat, keeping in mind that command injection remains the primary infection vector of choice for threat actors.^[3]

Threat actors are taking advantage of vulnerable IoT devices

Back in September 2020, is it was noted in one of IBM X-Force analysis, that Mozi accounted for as much as 90% of the observed IoT network traffic from October 2019 through June 2020. This information leads to an indication that threat actors are increasingly taking advantage of the expanding attack surface offered by the IoT devices.^[4]

Back to the present, last month another analysis was shared by Elastic Security Intelligence and Analytics Team which has found that at least 24 countries have been targeted. Overall, as the amount of connected devices has grown exponentially in recent years, the IoT has proven to be hugely useful incredibly fitting for launching cyber attacks.^[5]

Malicious threat creators can always change their targets and purposes, but the main focus is money, so deploying such threats like ransomware^[6] can become easier with the help of these functions and malware like the Mozi IoT botnet.