Beastmode (or B3astmode), a Mirai-based decentralized denial-of-service (DDoS) botnet, has extended its list of exploits to include three new ones, all of which target various models of Totolink devices.
Totolink is a well-known electronics sub-brand of Zioncom which recently published firmware patches to address three critical-severity flaws. DDoS botnet programmers wasted little time in adding these holes to their arsenal to take advantage of the window of opportunity before Totolink router customers installed the security patches. Beastmode has gained control of vulnerable routers, giving it access to hardware resources it can use to execute DDoS attacks.
The following is a list of vulnerabilities in TOTOLINK routers:
- CVE-2022-26210 (CVSS 9.8) - A command injection vulnerability that could be used to execute arbitrary code.
- CVE-2022-26186 is a vulnerability that affects computers (CVSS score: 9.8) TOTOLINK N600R and A7100RU routers are vulnerable to a command injection vulnerability.
- CVE-2022-25075 to CVE-2022-25084 (CVE-2022-25075 to CVE-2022-25084) (CVSS scores: 9.8) - A buffer overflow vulnerability has been discovered in certain TOTOLINK routers, resulting in code execution.
CVE-2021-4045 is used to target the TP-Link Tapo C200 IP camera, which the researchers haven't seen in any other Mirai-based campaign. For the time being, the exploit has been implemented incorrectly and does not operate. "Device users must still update its camera software to correct this issue," the researchers suggest, citing indications of continued development.
Although the flaws affect different devices, they all have the same effect: they allow the attacker to insert commands to download shell scripts via the wget command and infect the device with Beastmode. The shell scripts differ depending on which devices have been infected and which exploit has been used.
The vulnerabilities were not the only ones introduced to the Beastmode botnet; its creators also added the following previous bugs:
D-Link is affected by CVE-2021-45382, a remote code execution bug. DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L are the DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L.
- CVE-2021-4045 — Unauthenticated remote code execution bug in the TP-Link Tapo C200 IP camera.
- CVE-2017-17215 — Unauthenticated remote code execution problem in Huawei HG532
- CVE-2016-5674 — Remote execution of arbitrary PHP code through the log argument in the Netgear ReadyNAS product line.
Ensure to deploy the available security updates which correct the vulnerabilities mentioned above to prevent Mirai versions from seizing control of any router or IoT devices.
Totolink users should go to the vendor's download center, choose the device model, and download and install the most recent firmware version available.
A slow internet connection is one of the symptoms if your router has been exploited. Additional indicators include the device heating up more than usual, inability to get into the administration panel, changing settings, or an unresponsive device, which a typical user is likely to overlook.
