Fortinet’s FortiGuard Labs has detected an increase in botnet activities leveraging cloud services to enhance their malicious capabilities. Botnets like UNSTABLE and Condi are utilizing cloud storage and computing services to distribute malware payloads and updates across a wide range of devices.

The researchers have observed botnet operators exploiting multiple vulnerabilities to target various devices, including JAWS webservers, Dasan GPON home routers, Huawei HG532 routers, TP-Link Archer AX21 routers, and Ivanti Connect Secure. These exploits are being used to amplify attacks and expand the botnet's reach.

The UNSTABLE botnet, a variant of the notorious Mirai botnet, has been particularly active. Its initial access vector targets the JAWS Webserver RCE vulnerability (CVE-2016-20016) to retrieve a downloader script named “jaws” from a specific domain. This script includes multiple binary files for 13 architectures, executed using the parameter “jaws.exploit.”

The UNSTABLE botnet comprises three primary modules responsible for the exploitation, scanning, and DDoS attacks. The exploitation module targets three vulnerabilities: CVE-2016-20016, CVE-2018-10561/10562 (Dasan GPON routers), and CVE-2017-17215 (Huawei HG532). The scanner module employs a hard-coded list of usernames and passwords for brute-force scanning of other network endpoints. The DDoS attack module includes nine attack methods, such as attack_tcp_ack, attack_tcp_syn, and attack_udp_plain, allowing the botnet to choose the most suitable method based on commands from its command-and-control (C2) server.

The Condi DDoS botnet continues to exploit CVE-2023-1389 in TP-Link Archer AX21 to gain control of devices. Once a device is infected, the malware terminates competing processes and establishes a connection to a central C2 server. An analyzis of the file for architecture “x86-i686”  revealed that the malware creates a socket to check the validity of the C2 server. If the server is reachable, the malware sets up a connection with the C2 server at IP address and executes the “ps” command to gather process-related information.

“The IP address “209[.]141[.]35[.]56” pinged by the compromised device is exploited by the attack source IP address “45[.]128[.]232[.]229” using the CVE-2023-1389 vulnerability. It was first met with a page that the FBI has seized due to its use as a DDoS service (Figure 12). However, FortiGuard Labs found the IP address also has another route, “hxxp://209[.]141[.]35[.]56/getters/,” which contains 19 malware variants for different Linux architectures,” the researchers said.

FortiGuard Labs discovered a new malware, dubbed “Skibidi,” which is distributed by exploiting CVE-2023-1389 and CVE-2024-21887 (Ivanti Connect Secure). A downloader script is used to deploy Skibidi. This script downloads and executes the malware, determining the appropriate Linux architecture for the attack.

Earlier this year, a financially motivated threat actor called “Magnet Goblin” was seen targeting public-facing servers with one-day vulnerabilities to deploy Linux backdoors and credential stealers. The threat actor has attacked Ivanti, Magento, Qlink Sense business analytics servers, and, possibly, Apache ActiveMQ servers to gain unauthorized access.