New botnet malware exploits zero-day CVE-2023-49897 flaw in routers

In the dynamic landscape of cyber threats, a new botnet, “InfectedSlurs,” has emerged, exploiting critical vulnerabilities in FXC Routers to orchestrate a sophisticated Distributed Denial of Service (DDoS) attack network.

Discovered by Akamai’s Security Intelligence Response Team (SIRT) in late October 2023, InfectedSlurs is a Mirai-based malware botnet that targets routers and Network Video Recorder (NVR) devices using two zero-day remote code execution (RCE) vulnerabilities. The botnet, active since late 2022, hijacks devices to expand its DDoS capabilities, likely for profit.

The root of this campaign is the exploitation of a zero-day RCE flaw in popular FXC AE1021 and AE1021PE routers, widely used in hotels and residences. This vulnerability cataloged as CVE-2023-49897 with a CVSS v3 score of 8.0, allows authenticated attackers to execute OS commands remotely. Attackers use POST requests to the router’s management interface, exploiting default device credentials.

CVE-2023-49897

The attack follows a two-step process:
1. Fingerprinting: Targeting the `/cgi-bin/login.apply` endpoint using default credentials.

URL: /cgi-bin/login.apply
Cookie: cookieno=489646; username=[redacted]; password=[redacted]
User-Agent: Go-http-client/1.1

POST BODY:
username_input=[redacted]&password_input=. [redacted]&lang=ja_JP&hashstr=202310281340&username=[redacted]&password=[redacted]

2. Exploitation: Upon successful authentication, the malware delivers its payload to the `/cgi-bin/action` endpoint, initiating the compromise.

URL:/cgi-bin/action
Cookie: username=[redacted]; password=[redacted]; cookieno=489646
User-Agent: Go-http-client/1.1

POST BODY:
page_suc=i_system_reboot.htm&system.general.datetime=&ntp.general.hostname=[RCE]&ntp.general.dst=0&ntp.general.dst.adjust=0&system.general.timezone=09:00&system.general.tzname=Tokyo&ntp.general.enable=1

The scale of compromised devices is challenging to ascertain, given the reliance on factory default credentials. The malware installs an MIPS-compiled variant of Mirai, contributing to an ever-growing botnet.

FXC’s response includes a firmware update (version 2.0.10) to address the CVE-2023-49897 vulnerability. Users are advised to update their firmware and reset the device to factory settings, changing the default login credentials.

The Akamai SIRT team shared an extensive list of IOCs, Snort rules, and YARA rules to help identify these exploit attempts in the wild and possible active infections on defender networks.

InfectedSlurs represents a critical wake-up call in the realm of IoT security. With vulnerabilities in everyday devices being exploited for large-scale cyber attacks, the need for robust cybersecurity measures and awareness is more pressing than ever. Users and manufacturers alike must remain vigilant, updating and securing their devices to prevent becoming part of such malicious networks.