A Mirai botnet variant dubbed Aquabot has been noticed actively making an attempt to take advantage of a medium-severity safety flaw impacting Mitel telephones so as to ensnare them right into a community able to mounting distributed denial-of-service (DDoS) assaults.
The vulnerability in query is CVE-2024-41710 (CVSS rating: 6.8), a case of command injection within the boot course of that would permit a malicious actor to execute arbitrary instructions throughout the context of the cellphone.
It impacts Mitel 6800 Collection, 6900 Collection, 6900w Collection SIP Telephones, and Mitel 6970 Convention Unit. It was addressed by Mitel in mid-July 2024. A proof-of-concept (PoC) exploit for the flaw turned publicly accessible in August.
Exterior of CVE-2024-41710, a few of the different vulnerabilities focused by the botnet embrace CVE-2018-10561, CVE-2018-10562, CVE-2018-17532, CVE-2022-31137, CVE-2023-26801, and a distant code execution flaw concentrating on Linksys E-series gadgets.
“Aquabot is a botnet that was constructed off the Mirai framework with the last word purpose of distributed denial-of-service (DDoS),” Akamai researchers Kyle Lefton and Larry Cashdollar stated. “It has been identified since November 2023.”
The online infrastructure firm stated it detected energetic exploitation makes an attempt in opposition to CVE-2024-41710 since early January 2025, with the assaults mirroring a “payload nearly similar to the PoC” to deploy the botnet malware.
The assault includes executing a shell script that, in flip, makes use of the “wget” command to retrieve Aquabot for various CPU architectures.
The Aquabot Mirai variant noticed within the assault has been assessed to be a 3rd iteration of the malware, sporting a novel “report_kill” operate that studies again to the command-and-control (C2) server when a kill sign is caught on the contaminated machine. Nevertheless, sending this info hasn’t been discovered to elicit any response from the server up to now.
This new model, in addition to triggering C2 communication upon detecting sure alerts, renames itself to “httpd.x86” to keep away from attracting consideration and is programmed to terminate processes that match sure necessities, equivalent to native shells. It is suspected that the sign dealing with options are seemingly integrated to craft extra stealthy variants or detect malicious exercise from competing botnets.
There may be some proof suggesting that the risk actors behind Aquabot are providing the community of compromised hosts as a DDoS service on Telegram below the monikers Cursinq Firewall, The Eye Providers, and The Eye Botnet.
The event is an indication that Mirai continues to plague a variety of internet-connected gadgets that always lack correct security measures, or have both reached end-of-life or left accessible with default configuration and passwords, making them low-hanging fruits ripe for exploitation and a key conduit for DDoS assaults.
“Risk actors generally declare that the botnet is used just for DDoS mitigation testing functions to attempt to mislead researchers or regulation enforcement,” the researchers stated.
“Risk actors will declare it is only a PoC or one thing academic, however a deeper evaluation exhibits that they’re actually promoting DDoS as a service, or the homeowners are boasting about operating their very own botnet on Telegram.”
