Various threat actors are exploiting vulnerabilities in Cacti servers and Realtek devices to infect the unpatched systems with Moobot (Perlbot) and ShellBot malware used for DDoS attacks.
The warning comes from researchers at Fortinet’s FortiGuard Labs who observed the attacks exploiting CVE-2021-35394 (Realtek) and CVE-2022-46169 (Cacti) in January and March 2023.
CVE-2022-46169 is a critical authentication bypass and command injection flaw in Cacti servers that allows an unauthenticated user to execute arbitrary code. The vulnerability exists due to insufficient authorization within the Remote Agent when handling HTTP requests with a custom Forwarded-For HTTP header. A remote non-authenticated attacker can send a specially crafted HTTP request to the affected instance and execute arbitrary OS commands on the server.
CVE-2021-35394 is a command injection vulnerability in Realtek Jungle SDK, which stems from improper input validation within the MP Daemon diagnostic tool. The flaw allows a remote unauthenticated attacker execute arbitrary OS commands on the target system. The vulnerability has been previously exploited to distribute botnets like Mirai, Gafgyt, Mozi, and RedGoBot, however, this marks the first time CVE-2021-35394 has been used by Moobot, a Mirai variant botnet that targets exposed networking devices.
“Over the past few months, threat actors have been spreading ShellBot and Moobot malware on exploitable servers. Compromised victims can be controlled and used as DDoS bots after receiving a command from a C2 server. Because Moobot can kill other botnet processes and also deploy brute force attacks, administrators should use strong passwords and change them periodically. Moreover, some of the ShellBot variants can install other malware from their C2 server,” Fortinet notes.
Due to the severity of the above mentioned flaws, the cybersecurity recommends that users applied relevant patches and updates as soon as possible to protects their systems from attacks.
