Skip to content

Novel botnet caught exploiting Mitel phone vulnerability for DDoS attacks

  • by
  • 3 min read

A novel variant of the Mirai botnet dubbed Aquabot has been spotted attempting to breach Mitel phones to then include them in a DDoS attack. Affected phones include Mitel 6800 Series, 6900 Series, 6900w Series SIP Phones, and Mitel 6970 Conference Unit. Mitel has already addressed the vulnerability in July 2024, and a proof-of-concept (PoC) exploit has been publicly available since August 2024.

The primary vulnerability targeted by Aquabot is CVE-2024-41710. It’s a moderate-severity command injection vulnerability with a CVSS score of 6.8. The bug lets a hacker run malicious code within the phone’s context if exploited. Additional vulnerabilities the botnet targets include CVE-2018-10561, CVE-2018-10562, CVE-2018-17532, CVE-2022-31137, and CVE-2023-26801. The botnet is also exploiting a remote code execution bug in Linksys E-series devices.

Security researchers at Akamai were the first to spot the variant and claim that the malware exhibits behaviour they haven’t seen before. It comes with a novel “report_kill” function that reports to a command and control (C2) server once it catches a kill signal on the infected device. However, the researchers didn’t find any responses from the server to this particular command at the time of writing.

Photo: whatawin/shutterstock. Com
Photo: WhataWin/Shutterstock.com

Active exploitation attempts exploiting CVE-2024-41710 have been spotted since early January 2024. The attacks reportedly carry a malicious payload identical to the PoC exploit released in August 2024. It works by executing a shell script which in turn runs a wget command on the device to fetch Aquabot for varying CPU architectures. Aquabot also attempts to hide itself post-infection, renaming itself to “httpd.x86” to avoid detection. It’s also programmed to terminate processes that match certain criteria, such as local shells.

While the identity of the threat actors behind Aquabot remains unknown, researchers have discovered threat actors advertising the botnet as a DDoS service on Telegram. The botnet has been advertised under the monikers Cursinq Firewall, The Eye Services, and The Eye Botnet, offering layer 4 and layer 7 DDoS attack services.

This is reportedly the third variant of the infamous Mirai botnet. A wide range of internet-connected devices have either inadequate defences, have reached an end-of-life state, or aren’t appropriately protected (such as default credentials in active use) and hence become easy targets for botnets to carry out DDoS attacks.

In the News: DeepSeek data leak exposes internal logs, chat histories and API keys

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of cloudflare featured office san fran 1

Fix: Cloudflare captcha not working

This is an image of salt featured la2

How to make Salt in Little Alchemy 2?

This is an image of firewall featured la2

How to make Firewall in Little Alchemy 2?

Tech behind realistic prop money

The Tech Behind Realistic Prop Money: Printing, Materials & Anti-Fraud Measures

This is an image of dinosaur featured la2

How to make a Dinosaur in Little Alchemy 2?

This is an image of bluehost featured

Best Bluehost and SiteGround Alternatives for Small Businesses

>