Zerobot, a botnet that infects various Internet of Things (IoT) devices and uses them for distributed denial of service (DDoS) attacks, has been updated with new features and new infection mechanisms.
A report (opens in new tab) from Microsoft’s security team claims that the malware used to integrate IoT devices into the botnet has reached version 1.1.
With this upgrade, Zerobot can now leverage flaws found in Apache and Apache Spark to compromise various endpoints and later use them in the attacks. The flaws used to deploy Zerobot are tracked as CVE-2021-42013 and CVE-2022-33891.
Abusing Apache flaws
CVE-2021-42013 is actually an upgrade for the previous fix, designed to patch CVE-2021-41773 in Apache HTTP Server 2.4.50.
As the latter was insufficient, it allowed threat actors to use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives, the cve.mitre.org site explains. “If files outside of these directories are not protected by the usual default configuration “require all denied”, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.”
CVE-2022-33891, on the other hand, affects the Apache Spark UI, and allows attackers to perform impersonation attacks by providing an arbitrary username, and ultimately, allows the attackers to run arbitrary shell commands. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1, cve.mitre.org explained.
The new version of Zerobot also comes with new DDoS attack capabilities, Microsoft explained. These capabilities allow threat actors to target different resources and render them inaccessible. In almost every attack, the report states, the destination port is customizable, allowing threat actors who purchase the malware to modify the attack as they see fit.