Numerous attackers are using vulnerabilities in the security of Cacti Realtek and IBM Aspera Faspex to conduct hacks aimed at systems that have not received necessary updates.
According to a report published by Fortinet FortiGuard Labs this week, exploiting CVE-2022-46169 (CVSS score: 9.8) and CVE-2021-35394 (CVSS score: 9.8) has been used to distribute MooBot and ShellBot, also known as PerlBot.
CVE-2022-46169 pertains to a serious vulnerability in Cacti servers that enables unauthorized access and execution of arbitrary code through an authentication bypass and command injection flaw. On the other hand, CVE-2021-35394 addresses another arbitrary command injection weakness discovered in the Realtek Jungle SDK, which was already corrected last year.
In the past, similar methods have been used to spread botnets like Mirai, Gafgyt, Mozi, and RedGoBot. However, the recent use of this method has introduced the deployment of MooBot, which is a variant of Mirai that has been active since 2019.
Since the discovery of the Cacti vulnerability in January 2023, it has been noticed that it is not only being exploited for MooBot attacks but also being used to distribute ShellBot payloads.
Three distinct variations of ShellBot have been identified, specifically PowerBots (C), GohacK LiGhT's Modded perlbot v2, and B0tchZ 0.2a. The AhnLab Security Emergency response Center (ASEC) recently revealed the first two of these shells.
All three versions are able to coordinate DDoS attacks. PowerBots, GohacK, and B0tchZ 0.2a also have the ability to create a backdoor for uploading/downloading files and initiating a reverse shell.
According to Fortinet researcher Cara Lin, individuals who have been compromised can be manipulated and utilized as DDoS bots once they have received instructions from a C2 server. As MooBot has the capability of eliminating other botnet procedures and implementing brute force attacks, administrators should enforce the use of strong passwords and regularly update them.
The IBM Aspera Faspex vulnerability is being actively exploited.
One security weakness currently being exploited is CVE-2022-47986 (CVSS score: 9.8), a serious problem with the deserialization of YAML in IBM’s Aspera Faspex file sharing program.
Since the PoC exploit was released shortly after the bug was fixed in December 2022 (version 4.4.2 Patch Level 2), cybercriminals have been using it in ransomware attacks linked to Buhti and IceFire since February.
Last week, Rapid7, a company specialised in cybersecurity, disclosed that one of its clients had been breached due to a vulnerability. Therefore, users are advised to take immediate action by implementing the necessary updates to avoid any potential threats.
The company advises to shut down the internet-facing service if a patch cannot be immediately installed due to its vulnerability being linked with ransomware group activity.