A variant of Mirai botnet known as Moobot is targeting vulnerable D-Link routers using a mix of old and new exploits, researchers at Palo Alto’s Unit 42 have warned.
First spotted by Qihoo 360's Netlab team in September 2019, Moobot has been known to target LILIN digital video recorders and Hikvision video surveillance systems to expand its network of bots.
A new wave of attacks were detected by Unit 42 team in late August 2022 and targeted D-Link routers by exploiting a number of remote code execution vulnerabilities, including:
CVE-2015-2051 - D-Link HNAP SOAPAction Header Command Execution Vulnerability
CVE-2018-6530 - D-Link SOAP Interface Remote Code Execution Vulnerability
CVE-2022-26258 - D-Link Remote Command Execution Vulnerability
CVE-2022-28958 - D-Link Remote Command Execution Vulnerability
Although the manufacturer has released security updates to fix the above flaws, many users have yet to update their devices.
Successful exploitation of these bugs allows the attackers to execute code on the vulnerable system and fetch a MooBot payload from a command and control server. Once this achieved, the newly compromised becomes a part of the Moobot botnet and used to conduct further attacks, such as DDoS.