Hackers use a known vulnerability in the Cacti device monitoring tool to install all kinds of malware (Opens in a new tab) On weak endpoints, the researchers claimed.
Cybersecurity researchers from The Shadowserver Foundation discovered multiple attempts to introduce various malware via the critical command injection vulnerability, tracked as CVE-2022-46169.
By abusing the flaw, which has a severity rating of 9.8 (critical), threat actors have been observed spreading Mirai malware, as well as IRC bots. Some threat actors have been seen simply probing the vulnerability, possibly in preparation for future attacks.
Thousands of uncorrected cases
Mirai is a malware that mostly targets Linux-based smart home devices, such as IP cameras and home routers, and is absorbed into the Mirai botnet. The botnet can later be used for distributed denial-of-service (DDoS) attacks, which can crash operations and shut down websites.
The IRC botnet was seen opening a reverse shell on the host and having it scan the endpoint ports.
In total, nearly 10 exploit attempts were seen in the last week.
The Censys report claims that there are more than 6,000 uncorrected Cacti cases accessible online, while adding that more than 1,600 cases are unprecedented and therefore at risk.
“Censys has detected 6427 web hosts running a version of Cacti. Unfortunately, we can only see exactly which version of the software is running when a certain theme (sunrise) is enabled on the web application,” Censys said. However, 1,637 web-accessible hosts were found vulnerable to CVE-2022-46169, the majority (465) running version 1.1.38, which was released more than a year ago.
Furthermore, Censys only noted 26 cases running an updated version that wasn’t vulnerable.
As always, the best way to protect your devices from such attacks is to ensure that all software is running the latest version.
Via: BleepingComputer (Opens in a new tab)