"A Mirai-based botnet named ShadowV2 emerged during last October's widespread AWS outage, infecting IoT devices across industries and continents, likely serving as a "test run" for future attacks, according to Fortinet's FortiGuard Labs. After infecting vulnerable gear to form a zombie army of IoT devices, the ShadowV2 Mirai variant allows an attacker to remotely control the network of equipment and perform large-scale attacks, including distributed-denial-of-service ( DDoS) traffic-flooding events."
"Luckily, the malware only remained active during the day-long outage, which also knocked major websites offline for hours. During that time, it propagated via several vulnerabilities affecting devices from multiple vendors, including DD-WRT ( CVE-2009-2765), D-Link ( CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915), DigiEver ( CVE-2023-52163), TBK ( CVE-2024-3721), and TP-Link ( CVE-2024-53375), antivirus analyst Vincent Li said in a Wednesday blog post."
"While ShadowV2, a cloud-native botnet, previously targeted AWS EC2 instances in September campaigns, the more recent bot-building effort affected multiple sectors, including technology, retail and hospitality, manufacturing, managed security services providers, government, telecommunication and carrier services, and education. And it hit 28 countries: Canada, US, Mexico, Brazil, Bolivia, Chile, UK, Netherlands, Belgium, France, Czechia, Austria, Italy, Croatia, Greece, Morocco, Egypt, South Africa, Turkey, Saudi Arabia, Russia, Kazakhstan, China, Thailand, Japan, Taiwan, Philippines, and Australia."
ShadowV2 is a Mirai-based botnet that emerged during last October's AWS outage and infected IoT devices across industries and continents. The variant converts vulnerable equipment into a zombie army that enables remote control and execution of large-scale attacks, including DDoS traffic floods. The malware propagated during the outage by exploiting multiple vendor vulnerabilities across DD-WRT, D-Link, DigiEver, TBK, and TP-Link devices. ShadowV2 previously targeted AWS EC2 instances but the recent campaign affected technology, retail, hospitality, manufacturing, MSSPs, government, telecoms, and education across 28 countries. Attackers used a downloader script (binary.sh) to fetch binaries prefixed 'shadow' from 81[.]88[.]18[.]108.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]