Akamai found two zero-day remote code execution (RCE) vulnerabilities exploited to build a distributed denial-of-service (DDoS) botnet. The botnet is engaged in a long-running campaign that Akamai’s Security Intelligence Response Team (SIRT) is running monitoring since late 2022 and exploits the popular Mirai malware family.
How to protect yourself
Having released the patch from one of the affected vendors, researchers at Akamai’s SIRT have published a update of the InfectedSlurs alert series. As well as some tips on how to mitigate these attacks. The captured malicious payloads install Mirai-based malware with the intent of creating a DDoS botnet. Akamai provides a comprehensive list of IoC, Snort, and Yara rules in its blog post to help identify these exploit attempts in the wild and possibly active infections on defender networks.
Zero-day vulnerability
As part of the InfectedSlurs discovery, SIRT discovered a vulnerability in the router wall socket with AE1021 and AE1021PE socket from Future X Communications (FXC), actively exploited. This device is described as a socket-based wireless LAN router for hotels and residential units. This vulnerability has been assigned the CVE ID of CVE-2023-49897 with a CVSS v3 score of 8.0.
The consequences
The vulnerability allows an authenticated attacker to achieve the OS injection command with a payload sent via a POST request to the management interface. In your current setup, use the credentials device defaults in captured payloads.