HQ/EMEAFind out how we can help your business
The InfectedSlurs botnet, a newly identified Mirai-based payload, exploits two zero-day vulnerabilities that affect network devices. Based on reports, this botnet has compromised routers and video recorder (NVR) devices, potentially risking sensitive information.
The researchers encountered InfectedSlurs in October 2023 and claimed it has been operational since at least last year. The botnet’s modus operandi involves exploiting two zero-day remote code execution (RCE) flaws, enabling it to breach and compromise routers and NVR devices. Moreover, a new study has observed an unusual surge of malicious activity that targets a rarely used TCP port late last month.
The new InfectedSlurs botnet infections have been prevalent for the past few weeks.
According to investigations, the initial burst of InfectedSlurs botnet activity peaked at 20 attempts per day and gradually narrowed to an average of two to three attempts daily. However, some days witnessed no attempts at all.
Until November 9, 2023, the identity of the vulnerable devices remained unknown. The attackers employed a systematic approach, initiating authentication via a POST request and, upon success, running command injection exploits.
While the researchers promptly reported the vulnerabilities to the respective vendors, the vendors could not release the fixes until December 2023. Furthermore, the affected vendors’ names remain undisclosed currently.
Further, a recent analysis revealed that InfectedSlurs employed default admin credentials to install Mirai variants. Hence, NVR users should have strong and unique passwords.
The botnet doesn’t discriminate and targets various devices, including wireless LAN routers for hotels and residential applications. This comprehensive approach increases the potential impact and shows that businesses should have robust cybersecurity measures.
InfectedSlurs, rooted in the JenX Mirai malware variant, resembles the original Mirai botnet code. The October 2023 campaign showed that the actors could utilise the same functions in memory locations identical to the April 2023 Mirai variant.
The researchers identified similarities in the C2 infrastructure with other notorious botnets like the hailBot Mirai variant, linking back to a deleted Telegram user in the DDoS marketplace channel DStatCC.
The cybersecurity community should remain vigilant as the InfectedSlurs botnet continues to exploit vulnerabilities. Therefore, everyone should apply the new updates the vendors will release next month to fix the vulnerabilities.
