Two zero-day vulnerabilities in remote code execution (RCE) have been used by a new malware botnet dubbed “InfectedSlurs” to infect routers and network video recorders (NVRs).
The devices are taken over by the malware and added to its DDoS (distributed denial of service) swarm, which is likely rented out for financial gain.
‘InfectedSlurs’ was first discovered by Akamai on its honeypots in late October 2023. On the other hand, the botnet started operating in late 2022.
According to the cybersecurity firm, the two exploited vulnerabilities have not yet been patched by the affected vendors, so information about them has been withheld for the time being.
The botnet was initially identified by Akamai’s Security Intelligence Response Team (SIRT) in October 2023 when they noticed strange activity on a seldom-used TCP port that was directed towards their honeypots.
The activity involved low-frequency probes attempting to authenticate themselves through POST requests, which was followed by an attempt at command injection.
SIRT analysts used their data to perform an internet-wide scan, and they found that the targeted devices were associated with a particular NVR manufacturer (whose name is withheld for security reasons) that was mentioned in the report.
The botnet uses an unreported RCE vulnerability to access the device without authorization.
“The SIRT did a quick check for CVEs known to impact this vendor’s NVR devices and was surprised to find that we were looking at a new zero-day exploit being actively leveraged in the wild,” according to the report.
“Through the responsible disclosure process, the vendor communicated to us they are working on a fix that will likely be deployed in December 2023.”
Subsequent investigation revealed that the malware installs a bot client and carries out other malicious tasks using default credentials listed in the vendor’s manuals for various NVR products.
Upon closer examination of the campaign, Akamai found that the botnet also targets a popular wireless LAN router used by hotels and home users, which has another zero-day RCE vulnerability that the malware takes advantage of.
‘InfectedSlurs,’ named like that due to the use of offensive language in the C2 (command and control) domains and hardcoded strings, is a JenX Mirai variant.
Akamai reports that its C2 infrastructure is relatively concentrated and also appears to support hailBot operations.
According to Akamai, the bot samples it discovered in October 2023 had minimal code changes when compared to the original Mirai botnet, indicating that it was a self-propagating DDoS tool that could be used for attacks involving SYN, UDP, and HTTP GET request floods.
InfectedSlurs lacks a persistence mechanism, just like Mirai. Because there isn’t a patch available for the impacted devices, you can temporarily stop the botnet by rebooting your NVR and rooter devices.
InfectedSlurs botnet actively exploits QNAP VioStor NVR vulnerability
A QNAP VioStor NVR (Network Video Recorder) device’s remote code execution (RCE) vulnerability is being used by the Mirai-based botnet “InfectedSlurs” to take control of the device and incorporate it into its DDoS (distributed denial of service) swarm.
The botnet was found in October 2023 by the Security Intelligence Response Team (SIRT) of Akamai. They noticed that two zero-day vulnerabilities in routers and NVR devices were being exploited, most likely beginning in late 2022.
At the time, Akamai decided not to share any information regarding the vulnerabilities that InfectedSlurs was taking advantage of because the vendors had not yet released patches.
Akamai released two follow-up reports (1, 2) to fill in the holes left by the initial report from late November as the security updates or details regarding the two zero-days became available.
Tracked as CVE-2023-49897, the first zero-day vulnerability used by InfectedSlurs affects WiFi router models FXC AE1021 and AE1021PE.
Firmware version 2.0.10 was the security update that the vendor released on December 6, 2023. Following its application, the vendor advised users to change their default password and perform a factory reset.
CVE-2023-47565 is the second zero-day vulnerability in the botnet’s attacks. It affects QNAP VioStor NVR models running QVR firmware 4. x and is a high-severity OS command injection vulnerability.
On December 7, 2023, QNAP released an advisory stating that all models that are currently supported can now use QVR firmware 5. x and later, which fixes the previously unidentified problem.
The Infected Slurs botnet is thought to target older VioStor NVR models that never updated their firmware after first setup, as version 5.0.0 was published over ten years ago.
The following steps are advised by the vendor for susceptible NVR devices:
Go to ‘Control Panel → System Settings → Firmware Update,’ choose the ‘Firmware Update’ tab, and click ‘Browse’ to find the appropriate version for your particular model after logging in to QVR as an administrator.
When the update has finished installing, click “Update System” and let QVR do its work.
It also suggests that users on QVR change their passwords by going to ‘Control Panel → Privilege → Users → Change Password,’ entering a strong new password, and then clicking ‘Apply.’
It’s possible that an update with firmware 5. x or later won’t be available for a VioStor NVR model that has reached EOL (end of life).
The only way to keep these devices secure is to swap them out for more recent, actively supported models. Security updates are not available for these devices.