A newly discovered Mirai botnet variant has been actively exploiting a critical security vulnerability in Four-Faith industrial routers since early November 2024, enabling large-scale Distributed Denial-of-Service (DDoS) attacks.
With approximately 15,000 daily active IP addresses, infections are predominantly observed in China, Iran, Russia, Turkey, and the United States. The botnet exploits over 20 known vulnerabilities alongside weak Telnet credentials to gain initial access, making it a formidable cyber threat.
Zero-Day Vulnerability in Four-Faith Routers
Researchers at QiAnXin XLab detected the botnet leveraging a zero-day vulnerability (CVE-2024-12856, CVSS Score: 7.2) affecting Four-Faith router models F3x24 and F3x36. This OS command injection flaw exploits unchanged default credentials, allowing attackers to gain remote control over the devices.
Mirai Botnet’s Expanding Arsenal of Exploits
Apart from CVE-2024-12856, the botnet is known to abuse several historical vulnerabilities to maximize its reach, including:
CVE-2013-3307
CVE-2013-7471
CVE-2014-8361
CVE-2016-20016
CVE-2017-17215
CVE-2017-5259
CVE-2020-25499
CVE-2020-9054
CVE-2021-35394
CVE-2023-26801
CVE-2024-8956
CVE-2024-8957
Once deployed, the malware hides its malicious processes and executes Mirai-style command-and-control operations to scan for vulnerable devices, propagate itself, and launch high-impact DDoS attacks.
Massive DDoS Attacks Surge in 2024
The botnet has launched hundreds of DDoS attacks daily, peaking in October and November 2024. These attacks last between 10 and 30 seconds but generate immense traffic, reaching up to 100 Gbps, overwhelming targeted entities across multiple industries.
Mirai Expanding to New Targets
This discovery follows recent Juniper Networks warnings about Session Smart Router (SSR) vulnerabilities, which cybercriminals have exploited to spread Mirai malware. Meanwhile, Akamai has reported Mirai infections leveraging remote code execution (RCE) flaws in DigiEver DVRs.
The Rising Threat of DDoS Attacks
According to XLab researchers:
“DDoS has become one of the most common and destructive cyber threats. Attack techniques are constantly evolving, with highly concealed attack paths targeting enterprises, government organizations, and individual users.”
In parallel, cybercriminals are exploiting misconfigured PHP servers (e.g., CVE-2024-4577) to deploy a PacketCrypt cryptocurrency miner, underscoring the persistent and evolving nature of cyber threats.
Key Takeaways for Cybersecurity
Patch Vulnerabilities: Ensure all devices, especially industrial routers, are updated with the latest security patches.
Change Default Credentials: Always modify factory-set passwords to prevent unauthorized access.
Deploy DDoS Mitigation: Organizations should implement traffic filtering, rate limiting, and firewalls to protect against large-scale attacks.
Monitor Network Traffic: Employ threat intelligence tools to detect and mitigate anomalous activities in real time.
With the Mirai botnet evolving and new exploits emerging, cybersecurity professionals must remain vigilant and proactive in safeguarding networks against these highly adaptive threats.