Zerobot, an Internet of Things botnet first discovered earlier this year, has been updated with additional functionality, including the ability to target vulnerabilities on unpatched Apache servers.
As detailed by researchers at Microsoft Corp.’s Security Threat Intelligence team, Zerobot is a Go-based botnet that primarily spreads through IoT and web application vulnerabilities. Zerobot is offered as part of a malware as a service scheme with one domain with links to the bot sized by the U.S. Federal Bureau of Investigation on Dec. 14.
The new version, dubbed Zerobot 1.1, has increased capabilities, including new attack methods and exploits for support architectures, expanding its reach to different types of devices, Apache servers being notable among them.
Zerobot 1.1 targets vulnerabilities in Apache and Apache Spark, CVE-2021-42013 and CVE-2022-33891, respectively. Added functionality also includes the ability to target vulnerabilities in the MiniDVBLinux DVR systems, Grandstream networking systems and Roxy-WI GUI.
Upon gaining device access, Zerobot injects a malicious payload that then attempts to download different binaries to identify the architecture by brute force. Depending on the operating system, the botnet has different persistence mechanisms that are used to maintain access to infected devices. It’s noted that although Zerobot is unable to spread on Windows machines, several examples can run on Windows.
The new version of Zerobot also has additional distributed denial-of-service attack capabilities, including functions that allow the threat actors to target resources and make them inaccessible. Successful Zerobot DDOS attacks can be used to extort ransom payments, distract from other malicious activity, or disrupt operations.
“Zerobot (and other methods of forming botnet armies) is about as serious as it gets.” Bud Broomhead, chief executive officer at IoT cyber hygiene company Viakoo Inc., told SiliconANGLE. “Threat actors gain not just one foothold in your network but thousands of them when IoT/OT devices are infected.”
Broomhead noted that the number of DDoS attacks is increasing in size, frequency and duration due to the spread of bots like Zerobot that have mainly been unchecked.
“Threat actors will always go to where defenses are weakest and the potential for exploits is highest – and that’s exactly what IoT and OT devices offer today,” Broomhead explained. “Many cyber defenses rely on agent-based technology to protect IT systems; IoT/OT devices can’t accept agents, making IT-oriented solutions ineffective in stopping threats like Zerobot.”
Broomhead recommends that security teams should at least be using an agentless asset discovery solution so they know what assets can be compromised. Security teams should monitor devices for changes in how they function, such as increased network traffic from them, utilization of onboard memory, or unusual CPU usage. In addition, security teams need to stay on top of IoT/OT device firmware updates and password rotations by using an automated and agentless IoT security platform.