Beastmode Botnet Boosts DDoS Power with New Router Exploits
A Mirai-based distributed denial-of-service (DDoS) botnet tracked as Beastmode (aka B3astmode) has updated its list of exploits to include several new ones, three of them targeting various models of Totolink routers.
Totolink is a popular electronics sub-brand belonging to Zioncom that recently released firmware updates to fix three critical-severity vulnerabilities.
The authors of DDoS botnets did not waste any time and added these flaws to their arsenal to take advantage of the opportunity window before Totolink router owners applied the security updates.
By taking control of the vulnerable routers, Beastmode has access to hardware resources that allow it to launch DDoS attacks.
The botnet operators make money either by selling DDoS services or by launching attacks against firms and asking for a ransom to stop.
Vulnerabilities and impact
Fortinet researchers analyzed a recent version of Beastmode to find it added the following new flaws that could be exploited to target Totolink devices:
- CVE-2022-26210 – Command injection vulnerability enabled attackers to execute arbitrary commands via a specially crafted request. Affects Totolink A800R, A810R, A830R, A950RG, A3000RU, and A3100R.
- CVE-2022-26186 – Command injection vulnerability via the export0vpn interface at cstecgi.cgi, affecting Totolink N600R and A7100RU.
- CVE-2022-25075 to 25084 – A set of critical severity flaws allowing remote attackers to execute arbitrary commands via the QUERY_STRING parameter. Affects Totolink A810R, A830R, A860R, A950RG, A3100R, A3600R, T6, and T10 routers.
The vulnerabilities above were not the only additions to Beastmode botnet, though, as its authors also added the folowing older bugs:
- CVE-2021-45382 – Remote code execution flaw affecting D-Link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L and DIR-836L.
- CVE-2021-4045 – Unauthenticated remote code execution flaw affecting TP-Link Tapo C200 IP camera.
- CVE-2017-17215 – Unauthenticated remote code execution flaw affecting Huawei HG532
- CVE-2016-5674 – Remote arbitrary PHP code execution via the log parameter affecting Netgear ReadyNAS product line.
All of the above flaws are rated critical (CVSS v3 score of 9.8), enabling the threat actors to take full control of the device.
Once this happens, the malware downloads a shell script that registers the captured device on the botnet and sets it up for various DDoS attack types.
Stay safe from botnets
To prevent Mirai variants from taking control of your router or IoT devices, make sure to apply the available security updates that fix the vulnerabilities mentioned above.
For Totolink, visit the vendors download center, pick your device model, and download and install the latest available firmware version.
One of the signs that could indicate that your router is compromised is a slow internet connection. Additional clues that a normal user is likely to miss inlcude the device heating up more than usual, not being able to log into the management panel, changed settings, or an unresponsive device.
If you suspect that your networking device has been compromised, one method that can kick the hackers out is to manually reset it, configure it with a different, stronger password, and install the latest security updates from the vendor.