A botnet known as Moobot has abused a critical vulnerability inside Hikvision products that were sanctioned and banned by the United States federal government from receiving contracts due to some security reasons.
The Moobot botnet’s infrastructure is surprisingly based on the infamous Dark Mirai (MANGA) botnet and has been distributing in the dark web’s ecosystem for a while now. It was first discovered by researchers back in February of 2021, and Moobot malicious actors are constantly adding new CVEs for targeting new potential targets.
According to recent findings, the Moobot botnet exploits a critical command injection vulnerability to target outdated and unpatched devices of Hikvision and exfiltrate confidential data from victims.
But the exposure that the Moobot abuses were recently patched by its firmware back in September 2021. The researchers also discovered that the abused vulnerability does not require any authentication process, and can be activated by sending a message to the publicly compromised device.
A downloader was also found spoofing a software dubbed ‘macHelper’ that downloads, gathers, and operates Moobot with the Hikvision parameter. These infections were also linked to the multiple payloads abusing the CVE-2021-36260 vulnerability. The botnet can modify default commands such as reboot to obstruct the compromised machine’s functionality.
The Moobot also attaches the compromised devices into its ‘distributed-denial-of-service’ (DDoS) attack, where command-and-control sends an SYN flood instruction with targeted IP address and port number. Separate commands incorporate 0x04 for ACK flood, 0x05 for ACK+PUSH flood, and 0x06 for UDP flood.
Experts stated that Moobot and Dark Mirai are identical since they both use data strings such as random alphanumeric generation functions, which are familiar to botnets. Moreover, some analysts said that Moobot took some notes and elements from another botnet called Satori.
Moobot is still infecting many targets and currently focuses on exposed and vulnerable devices for malicious purposes. Experts suggested protecting devices from botnets, and users should employ available security patches as soon as possible. Constant isolation of infected devices and changing the default credentials of recently purchased IoT products are highly advised.
