Researchers discover ‘first known instance’ of botnet targeting flaw in Apache Struts

UPDATED Researchers at Palo Alto Networks have uncovered new variants of the notorious IoT botnets Mirai and Gafgyt – with the former targeting the same Apache Struts vulnerability associated with the Equifax data breach in 2017.

On September 7, Palo Alto’s Unit 42 threat research division found samples of a Mirai variant that incorporates exploits targeting 16 separate vulnerabilities.

While the organization’s Ruchna Nigam said the use of multiple exploits within a single sample of Mirai has been observed in the past, this is the first known instance of Mirai targeting a vulnerability in Apache Struts.

The new Gafgyt variant is targeting older, unsupported versions of SonicWall’s Global Management System (GMS).

“The issue referenced only affects an older version of the GMS software (version 8.1) which was replaced by version 8.2 in December 2016,” a SonicWall spokesperson told The Daily Swig.

“Customers and partners running GMS version 8.2 and above are protected against this vulnerability.”

Customers still using GMS version 8.1 have been advised to apply the hotfix supplied by SonicWall in August 2018 and plan for an immediate upgrade, as GMS 8.1 went out of support in February 2018.

Shifting focus

“The incorporation of exploits targeting Apache Struts and SonicWall by these IoT/Linux botnets could indicate a larger movement from consumer device targets to enterprise targets,” Nigam said.

Developed in 2016, Mirai is renowned for being one of the world’s most destructive botnets.

At its peak it was used to enslave more than 300,000 IoT devices and launch crippling DDoS attacks against various websites.

“All organizations should ensure they keep not only their systems up-to-date and patched, but also their IoT devices,” said Nigam.

This article has been updated to include quotes from SonicWall.

RELATED: Mirai architects plead guilty to cybercrime charges