Zerobot, a botnet that infects various Internet of Things (IoT) devices and uses them in distributed denial-of-service (DDoS) attacks, has been updated with new capabilities and new infection mechanisms.
A sort of Report (opens in a new tab) Malware used to integrate IoT devices into botnets has reached version 1.1, according to news from Microsoft’s security team.
With this upgrade, Zerobot can now exploit flaws found in Apache and Apache Spark to compromise various endpoints and then use them in attacks. The vulnerabilities used to deploy Zerobot are tracked as CVE-2021-42013 and CVE-2022-33891.
Abusing Apache Vulnerabilities
CVE-2021-42013 is actually an upgrade to a previous fix to patch CVE-2021-41773 in Apache HTTP Server 2.4.50.
The cve.mitre.org website explains that since the latter is not sufficient, it allows threat actors to use path traversal attacks to map URLs to files outside of the directory configured by the classname directive. “These requests can succeed if files outside of these directories are not protected by the usual default configuration of ‘require deny all’. This may allow remote code execution if CGI scripting is also enabled for these alias paths. This issue only affects Apache 2.4.49 and Apache 2.4.50, earlier versions are not affected.”
On the other hand, CVE-2022-33891 affects the Apache Spark UI and allows an attacker to perform an impersonation attack by providing an arbitrary username, which ultimately allows the attacker to run arbitrary shell commands. cve.mitre.org explains that this affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.
The new version of Zerobot also comes with new DDoS attack capabilities, Microsoft explained. These capabilities allow threat actors to target different resources and make them inaccessible. In nearly every attack, the target port was customizable, allowing threat actors who purchased the malware to modify the attack as they saw fit, the report noted.