New Aquabot Botnet Targets Mitel Phones via CVE-2024-41710
A newly identified Mirai-based botnet variant, Aquabot, is actively exploiting a security vulnerability in Mitel phones to recruit them into a Distributed Denial-of-Service (DDoS) attack network.
The flaw, CVE-2024-41710 (CVSS score: 6.8), is a command injection vulnerability within the boot process of Mitel’s 6800 Series, 6900 Series, 6900w Series SIP Phones, and Mitel 6970 Conference Unit. If successfully exploited, attackers can execute arbitrary commands, enabling full remote control over affected devices.
Aquabot Botnet: Weaponizing CVE-2024-41710
Mitel patched the vulnerability in July 2024, but the availability of a Proof-of-Concept (PoC) exploit in August has made it a prime target for attackers. Security researchers at Akamai, Kyle Lefton, and Larry Cashdollar have confirmed that exploitation attempts have been ongoing since early January 2025, with attack payloads closely resembling the public PoC.
Aquabot spreads by executing a malicious shell script that utilizes the wget command to download botnet malware tailored for different CPU architectures. This attack method mirrors traditional Mirai infection tactics, leveraging unsecured or outdated IoT devices to expand its botnet network.
A Growing Threat: Additional Vulnerabilities Targeted
Beyond CVE-2024-41710, Aquabot is actively exploiting older vulnerabilities, including:
CVE-2018-10561 & CVE-2018-10562 – Command injection flaws in IoT devices.
CVE-2018-17532 – A security flaw in certain routers.
CVE-2022-31137 & CVE-2023-26801 – Exploits targeting web-based applications.
RCE vulnerability in Linksys E-series devices – Enabling remote code execution for full system compromise.
Aquabot’s Evolution: Stealth & Advanced C2 Communication
Aquabot represents the third known iteration of Mirai-derived malware, incorporating advanced stealth tactics. Notably, it features a "report_kill" function that informs the botnet’s Command-and-Control (C2) server when a kill signal is detected on an infected device. However, no direct server response has been observed so far.
Additionally, this version renames itself to "httpd.x86" to evade detection and is programmed to terminate specific processes, including local shell access. Security experts believe these updates may enable Aquabot to outmaneuver competing botnets or develop more evasive variants.
Aquabot Botnet Monetization: DDoS-for-Hire Services
Threat intelligence suggests that Aquabot’s operators are commercializing their botnet via Telegram-based DDoS-for-hire services under aliases such as:
Cursinq Firewall
The Eye Services
The Eye Botnet
Despite claims that the botnet is used only for DDoS mitigation testing, analysis shows active marketing of Aquabot as a paid DDoS attack tool.
The Ongoing Threat of Mirai-Based Botnets
The resurgence of Mirai-based malware underscores the persistent security risks associated with IoT devices. Many vulnerable devices either lack robust security measures, have reached end-of-life, or remain configured with default credentials, making them prime targets for botnet-driven cyberattacks.
Mitigation & Recommendations
To defend against Aquabot and similar IoT-targeting threats, security experts recommend:
Applying Mitel’s security patches immediately to prevent exploitation.
Disabling remote management on affected devices unless necessary.
Using strong, unique passwords to prevent brute-force attacks.
Implementing network-level defenses like firewall rules & intrusion detection systems (IDS).
Final Thoughts
The Aquabot botnet’s rapid spread highlights the ongoing vulnerability of IoT devices and the growing commercialization of cyber threats. As cybercriminals continue to evolve, staying ahead with timely patches and proactive security measures is critical to mitigating large-scale DDoS attacks.