Hackers exploited a known vulnerability in device monitoring tool Cacti to install various malware (opens in a new tab) On vulnerable endpoints, the researchers claim.
Cybersecurity researchers at the Shadowserver Foundation have discovered multiple attempts to spread various malware via a critical command injection vulnerability, tracked as CVE-2022-46169.
Threat actors have been observed deploying the Mirai malware alongside the IRC botnet by abusing a vulnerability with a severity rating of 9.8 (Critical). Some threat actors have been seen simply checking for vulnerabilities, possibly in preparation for future attacks.
Thousands of unpatched instances
Mirai is malware that primarily targets smart home devices running Linux, such as IP cameras and home routers, and assimilates them into the Mirai botnet. Botnets can later be used in Distributed Denial of Service (DDoS) attacks, which can disrupt operations and shut down websites.
IRC botnets have been seen opening a reverse shell on a host and having it scan the endpoint’s ports.
In total, about 10 exploitation attempts were seen in the last week.
A Censys report said there were more than 6,000 unpatched Cacti instances accessible over the internet, while adding that more than 1,600 were unpatched and thus vulnerable.
“Censys observed 6,427 hosts running a version of Cacti on the Internet. Unfortunately, we were only able to see the exact version of the software running when a specific theme (sunrise) was enabled on the web application,” Censys said. That said, 1,637 hosts were found to be reachable over the network and vulnerable to CVE-2022-46169, the majority (465) of which were running version 1.1.38, which was released more than a year ago, it added.
Additionally, Censys observed only 26 instances running newer versions that were not vulnerable.
As always, the best way to protect your device from this type of attack is to make sure all software is running the latest version.
pass: Beep computer (opens in a new tab)