- Security Researchers Observe New Botnet Creation Campaign Called Murdoc
- Their attacks target IP cameras and routers.
- More than 1,000 devices have been identified as compromised
Cybersecurity researchers from the Qualys Threat Research Unit have observed a new large-scale operation that exploits vulnerabilities in IP cameras and routers to build a botnet.
In a technical analysis, Qualys said the attackers were primarily exploiting CVE-2017-17215 and CVE-2024-7029, seeking to compromise AVTECH IP cameras and Huawei HG532 routers. The botnet is essentially Mirai, although in this case it was called Murdoc.
Qualys said Murdoc demonstrated “enhanced capabilities, exploiting vulnerabilities to compromise devices and establish expansive botnet networks.”
The persevering Mirai
The campaign most likely began in July 2024 and has managed to compromise 1,370 systems so far. Most of the victims are in Malaysia, Mexico, Thailand, Indonesia and Vietnam.
With a network of Internet-connected devices (bots) under their control, malicious actors can mount distributed denial of service (DDoS) attacks, bringing down websites and services, disrupting operations, and causing financial and reputational damage.
Mirai is a very popular botnet malware. Created by three college students in the US: Paras Jha, Josiah White and Dalton Norman, Mirai became famous in 2016 after orchestrating a large-scale DDoS attack against Dyn, which temporarily disrupted major websites including Netflix and Twitter.
The creators posted the source code online, just before their arrest in 2017. They pleaded guilty to using the botnet for DDoS attacks and other schemes.
While law enforcement continues to attack and disrupt the botnet, it has shown great resilience and remains active to this day.
Less than two weeks ago, a Mirai variant called ‘gayfemboy’ was found exploiting a bug in Four-Faith industrial routers. Although it clearly emerged from Mirai, this new version differs greatly, abusing more than 20 vulnerabilities and targeting weak Telnet passwords. Some of the vulnerabilities have never been seen before and do not yet have CVEs assigned. These include bugs in Neterbit routers and Vimar smart home devices.
