New wave of Moonbot botnet attacks targeting D-Link routers

Botnet linked to notorious Mirai malware comes after the unpatched D-Link routers

The new wave of the attacks can be present using vulnerable D-Link routers

MooBot has emerged with the new attack wave that started in August and is targeting vulnerable D-Link routers with a mix of old and unknown exploits. The nasty piece was discovered in 2021 when the botnet targeted a flaw in Hikvision cameras^[1] to spread widely and enlist a large number of devices into the DDoS^[2] army.

Recent attack campaigns show that the malware has refreshed the targeting scope.^[3] Typical behavior for botnets is to look for untapped pools of vulnerable devices that can be matched. Unit 42 researchers from Palo Alto Network reported that MoonBot is aiming at the critical vulnerabilities in D-Link devices:

• CVE-2015-2051 – the HNAP SOAPAction header command execution flaw.
• CVE-2018-6530 – SOAP interface remote code execution vulnerability.
• CVE-2022-26258 – D-Link remote command execution flaw.
• CVE-2022-28958 – D-Link remote command execution vulnerability.

Vulnerable devices still remain unpatched

MooBot creators leverage the low-attack complexity of these flaws to get the remote code execution opportunities on the targeted machine. This way, the malware can be fetched and arbitrary commands used. The vendor has issued proper security updates with patches to address these major vulnerabilities, but users have failed to apply these patches yet.

Malware can decode the hardcoded address from the configuration, and newly infected routers get registered on the c&c server threat actors' control.^[4] Analysis of the list of those servers shows that the infrastructure has been refreshed and that this is a new wave of the attack.

Captured routers participate in the direct DDoS attacks against various companies that these operators aim at and in attacks that criminals want to achieve. The last two mentioned flaws are especially new, only discovered in March and May of this year, so patches for them are fairly new and cannot be applied by many users.^[5]

Major consequences of the activity involving botnets

It is common for threat actors like this to sell DDoS services to other malicious criminals, so these botnets power other attacks and campaigns for criminals interested in causing downtime or direct disruption to sites and online services, and businesses. Compromising devices can cause major issues because not every DDoS attack can be stopped and the damage recovered.

The particular Mirai malware made news in 2016 as the first major botnet that took advantage of the IoT botnet devices. Now, these versions based on the malware have been increasing in numbers of attacks and particular DDoS incidents. This is the risk for critical infrastructure, and nation-state actors can launch attacks against the power grid of the country and shut it down. These are major issues that can be acts of cyber ware too and pose a risk countrywide.

Users who already think their device might be affected should reset them via the physical reset button, change admin passwords, and install the latest security updates from the vendor. Users with compromised devices may notice issues with the internet speed, slow responsiveness, overheating of the router, and inexplicable DNS configuration changes.

There are some ways to fight these issues. one of the methods is applying the available firmware updates on the D-Link router. If the old and unsupported device is used right now, configurations for such remote access prevention can be presented via the admin panel.