A new Mirai variant is rapidly spreading, experts observed around 100K IPs running the scans in the past 60 hours searching for flawed ZyXEL PK5001Z routers.
According to Li Fengpei, a security researcher with Qihoo 360 Netlab, the publication of the proof-of-concept (PoC) exploit code in a public vulnerabilities database is the root cause of the increase of activity associated with the Mirai botnet.
After the publication of the PoC exploit code on October 31, the experts observed scans using it starting on Wednesday, November 22.
“About 60 hours ago, since 2017-11-22 11:00, we noticed big upticks on port 2323 and 23 scan traffic, with almost 100k unique scanner IP came from Argentina. After investigation, we are quite confident to tell this is a new mirai variant.” reads the analysis published by Fengpei.
The PoC triggers the flaw CVE-2016-10401 in old ZyXEL PK5001Z routers that was publicly disclosed in January 2016. ZyXEL PK5001Z routers have a hardcoded super-user password (zyad5001) that could be used to elevate a user’s access to root level. The su password cannot be used to log into the device.
Anyway, attackers have discovered that there’s a large amount of ZyXEL devices are using admin/CentryL1nk and admin/QwestM0dem as default Telnet credentials.
The PoC code recently published first logs into a remote ZyXEL device using one of the two Telnet passwords, and then uses the hardcoded su password to gain root privileges.
Starting on Wednesday, Netlab has detected a spike of scans on ports 23 and 2323 for Telnet authentication the evidence that attackers are using the above PoC to infect exposed device with Mirai.
“The abuse of these two credentials began at around 2017-11-22 11:00, and reached its peak during 2017-11-23 daytime. This is a good time span match with this 2323/23 port scanning on Scanmon.” continues the analysis.
“Quite a lot of IP abusing these two credential also appear in ScanMon radar.
To read the original article: