Threat Signal ReportNew Zerobot Variant Exploits Additional Vulnerabilities for Propagation
Description
FortiGuard Labs is aware of a report that a new Zerobot variant is capable of propagating to other devices by exploiting known vulnerabilities. Zerobot was first reported in a blog released by Fortinet on December 06, 2022. Devices infected with Zerobot connect to Command-and-Control C2) server and can take part in DDoS attacks.
Why is this Significant?
This is significant because a new Zerobot variant was updated to exploit additional vulnerabilities for propagation. Since previous variants of Zerobot were recently found, Zerobot developer is currently putting constant effort to improve malware. Because of this - patches should be applied to vulnerable devices as soon as possible.
What is Zerobot?
Zerobot is a Go-based malware recently discovered by Fortinet that runs on Linux and Windows platforms. Zerobot contains several modules, including self-replication, attacks for different protocols, and self-propagation. It also communicates with its command-and-control server using the WebSocket protocol.
While Zerobot can spread to other devices by exploiting vulnerabilities and performing brute-force attacks, the malware is reportedly unable to propagate to Windows machines.
For more information on Zerobot, see the Appendix for a link to "Zerobot - New Go-Based Botnet Campaign Targets Multiple Vulnerabilities".
What Vulnerabilities does Zerobot Exploit?
The following vulnerabilities are exploited by Zerobot.
Additional vulnerabilities exploited by a new Zerobot
variant:
|
Vulnerability |
Affected Product |
|
CVE-2017-17105 |
Zivif
PR115-204-P-RS |
|
CVE-2019-10655 |
Grandstream |
|
CVE-2020-25223 |
WebAdmin of
Sophos SG UTM |
|
CVE-2021-42013 |
Apache |
|
CVE-2022-31137 |
Roxy-WI |
|
CVE-2022-33891 |
Apache Spark |
|
ZSL-2022-5717 |
MiniDVBLinux |
Vulnerabilities exploited by previously reported variant of
Zerobot
|
Affected Product |
|
|
CVE-2014-8361 |
miniigd SOAP
service in Realtek SDK |
|
CVE-2017-17106 |
Zivif
PR115-204-P-RS V2.3.4.2103 Webcams |
|
CVE-2017-17215 |
Huawei HG532
Router |
|
CVE-2018-12613 |
phpMyAdmin |
|
CVE-2020-10987 |
Tenda AC15
AC1900 Router |
|
CVE-2020-25506 |
D-Link
DNS-320 NAS |
|
CVE-2021-35395 |
Realtek
Jungle SDK |
|
CVE-2021-36260 |
Hikvision
product |
|
CVE-2021-46422 |
Telesquare
SDT-CW3B1 Router |
|
CVE-2022-01388 |
F5 BIG-IP |
|
CVE-2022-22965 |
Spring MVC or
Spring WebFlux application (Spring4Shell) |
|
CVE-2022-25075 |
TOTOLink
A3000RU Router |
|
CVE-2022-26186 |
TOTOLINK
N600R Router |
|
CVE-2022-26210 |
Totolink
A830R Router |
|
CVE-2022-30525 |
Zyxel USG
FLEX 100(W) Firewall |
|
CVE-2022-34538 |
Digital
Watchdog DW MEGApix IP camera |
|
CVE-2022-37061 |
FLIR AX8
thermal sensor cameras |
Other vulnerabilities that may be associated with Zerobot:
|
Vulnerability |
Affected
Product |
|
CVE-2016-20017 |
D-Link
DSL-2750B |
|
CVE-2018-10561 |
Dasan GPON |
|
CVE-2018-20057 |
D-Link
DIR-605L/DIR-619L |
|
CVE-2020-7209 |
HP LinuxKI |
|
CVE-2022-30023 |
Tenda ONT
GPON AC1200 Dual band WiFi HG9 |
|
ZERO-36290 |
|
- W32/ZeroBot.A!tr
- W64/ZeroBot.A!tr
- ELF/Zerobot.A!tr
- BASH/ZeroBot.A!tr.dldr
- W32/Agent.JL!tr
- Linux/Agent.SE!tr
- W32/Malicious_Behavior.VEX
- Malicious_Behavior.SB
- W32/PossibleThreat
- PossibleThreat
- D-Link.Realtek.SDK.Miniigd.UPnP.SOAP.Command.Execution (CVE-2014-8361)
- D-Link.DSL-2750B.CLI.OS.Command.Injection (CVE-2016-20017)
- Zivif.PR115-204-P-RS.Web.Cameras.Remote.Command.Injection (CVE-2017-17105)
- Zivif.PR115-204-P-RS.Web.Cameras.Credentials.Disclosure (CVE-2017-17106)
- Huawei.HG532.Remote.Code.Execution (CVE-2017-17215)
- Dasan.GPON.Remote.Code.Execution (CVE-2018-10561)
- phpMyAdmin.Authenticated.db_sql.Directory.Traversal (CVE-2018-12613)
- Grandstream.Devices.Invalid.Phonecookie.Command.Injection (CVE-2019-10655)
- Tenda.AC15.AC1900.Authenticated.Remote.Command.Injection (CVE-2020-10987)
- Sophos.SG.UTM.WebAdmin.PreAuth.Remote.Code.Execution (CVE-2020-25223)
- D-Link.ShareCenter.Products.CGI.Code.Execution (CVE-2020-25506)
- HP.LinuxKI.Kivis.PHP.Remote.Command.Injection (CVE-2020-7209)
- Realtek.SDK.CVE-2021-35395.Buffer.Overflow (CVE-2021-35395)
- Hikvision.Product.SDK.WebLanguage.Tag.Command.Injection (CVE-2021-36260)
- Apache.HTTP.Server.cgi-bin.Path.Traversal (CVE-2021-42013)
- Spring.Framework.SerializationUtils.Insecure.Deserialization (CVE-2022-22965)
- Totolink.Router.Main.Function.Query_String.Command.Injection (CVE-2022-25075)
- Totolink.Router.Cstecgi.Command.Injection (CVE-2022-26186)
- Totolink.Router.Cstecgi.Command.Injection (CVE-2022-26210)
- ZyXEL.Firewall.ZTP.Command.Injection (CVE-2022-30525)
- Roxy-WI.options.API.Remote.Code.Injection (CVE-2022-31137)
- Apache.Spark.getUnixGroups.Command.Injection (CVE-2022-33891)
- Digital.Watchdog.MEGApix.IP.Camera.Addacph.Command.Injection (CVE-2022-34538)
- FLIR.AX8.Thermal.Camera.Command.Injection (CVE-2022-37061)
- Tenda.HG9.Router.Ping.Command.Injection (CVE-2022-30023)
- Telesquare.SDT-CW3B1.Command.Injection (CVE-2021-46422)
Appendix
Microsoft research uncovers new Zerobot capabilities (Microsoft)
Zerobot – New Go-Based Botnet Campaign Targets Multiple Vulnerabilities (Forinet)
Outbreak Alert: Zerobot Attack (Fortinet)
