Introduction

In a shocking revelation that has cybersecurity experts on high alert, a new Mirai-based botnet dubbed "gayfemboy" has emerged, leveraging zero-day exploits to spread across industrial routers and smart home devices. This advanced threat was initially identified by the Chinese research group Qi'anxin XLab in February 2024, and its evolution has made it one of the most formidable botnets we’ve seen.

Advancements in the Botnet's Capabilities

While the earlier versions of the botnet were rather primitive, recent developments show a significant advancement in its capabilities. The botnet now takes advantage of a critical zero-day vulnerability (CVE-2024-12856) discovered in Four-Faith industrial routers and has also been exploiting unknown weaknesses in Neterbit routers and Vimar smart home devices, which have not yet been assigned CVEs.

Operating Techniques

Qi'anxin XLab reports that the botnet operates using over 20 different vulnerabilities, alongside exploiting weak Telnet passwords, to maximize its impact. Currently, researchers have tracked around 15,000 active IP addresses predominantly in countries such as China, Russia, the United States, Iran, and Turkey.

DDoS Attacks and Target Sectors

The botnet has already been active in launching Distributed Denial of Service (DDoS) attacks since February, with particularly intense activity noted in October and November of the same year. Targets are being hit across various sectors, predominantly in China, the US, Germany, the UK, and Singapore, with hundreds of attacks reported daily.

Targeting XLab

In a particularly audacious move, the botnet's operators turned their attention to XLab itself after the research team registered certain command-and-control (C2) domains for analysis. XLab’s researchers reported that unitary domains were targeted with DDoS attacks, each lasting between 10 to 30 seconds. In a bizarre twist of fate, the VPS (Virtual Private Server) XLab used was blackholed by their cloud vendor due to continuous attacks, rendering them unable to provide services.

Response from XLab

"As soon as our cloud vendor identified the attacks, they initiated immediate countermeasures, resulting in our VPS being shut down for over 24 hours," XLab explained. The researchers stated that the lack of DDoS mitigation services forced them to halt resolving the C2 domain name altogether.

Conclusion

This alarming development heightens concern over the security of IoT devices, reminding users and organizations alike of the urgent need to safeguard their networks against sophisticated botnet threats. As the Mirai botnet continues to evolve, experts urge everyone to strengthen their security protocols to combat this widespread menace effectively. Stay tuned for more updates as we continue to monitor this evolving threat landscape!