The computing public is being made aware of an emerging botnet that is currently growing in the wild named Echobot. Considered by Palo Alto Network as the spiritual successor of Mirai botnet, Echobot now comes with an arsenal of 26 exploits designed to take over Internet-connected devices, now including a module to infect IoT and enterprise-level apps like VMware SD-Wan and Oracle Weblogic. In his in-depth blog about Echobot, Akamai’s Senior Security Response Engineer, Larry Cashdollar emphasized the botnet malware was able to gain 8 additional exploits for its attack methods against various vulnerable network-connected nodes.
“I recently came across an updated version of the Echobot binary that had some interesting additions. While examining that binary, I discovered the system hosting the binaries and downloaded an x86 version that also still had the debugging symbols intact. I counted 26 different exploits that were being used in the spread of this botnet. Most were well-known command execution vulnerabilities in various networked devices,” explained Cashdollar.
The newest variant probed by Cashdollar can infect mainstream routers, DVRs (Digital Video Recorders), Network Attached Storage, IP Phones and IP Cameras from many mainstream hardware vendors. Some affected vendors are LG, Realtek, Dell, Belkin, ASUS, VMware, D-Link, Linksys, etc.
“Rather than sticking to devices with embedded OSs like routers, cameras, and DVRs, IoT botnets are now using vulnerabilities in enterprise web and networking software to infect targets and propagate malware. Also of note is the inclusion of 10+ year old exploits for network devices that I believe may never have been patched by the vendors. This alludes to the botnet developers deliberately targeting unpatched legacy vulnerabilities,” added Cashdollar.
Legacy hardware and software are fast becoming the favorite attack surface of malware as of late. As more and more organizations wish to cut cost, legacy hardware and software that continue to work without trouble are usually in operations, extending its service life beyond the time table set by its vendor. The continued use of legacy products within a corporate environment increases the invisible cost of recovering from a cyber attack or malware infestation once these same products were the reason such tragedy happened in the first place.
Echobot, just like all the previous botnet before it has the goal of not cripple the performance of the affected hardware. It is designed to maintain a presence in the products it infects, but let it run as if no infection actually happened. This way, the now infected product will continue to be used by its stakeholders without suspecting anything nasty happening in the background. As the infection continues, the product remains accessible by the command and control servers through its Internet connection as part of the botnet.
“Botnet developers are always looking for ways to spread malware. They are not just relying on exploiting new vulnerabilities that target IoT devices, but vulnerabilities in enterprise systems as well. Some of the new exploits they’ve added are older and have remained unpatched by the vendor. It seems the updates to Echobot are targeting systems that have possibly remained in service, but whose vulnerabilities were forgotten,” concluded Cashdollar.
Echobot will not remain as the unique, multi-device compatible botnet malware. New malware featuring multi-module construction will be developed through the coming months and years which will equally target both current products and obsolete products that are operating on the Internet. It is prudent for organizations to maintain a healthy mix of new and legacy technology to better serve their customers, without compromising the need to establish/maintain a credible cybersecurity defense posture.