Botnet takes advantage of AWS outage to smack 28 countries
A Mirai-based botnet named ShadowV2 emerged during last October's widespread AWS outage, infecting IoT devices across industries and continents, likely serving as a "test run" for future attacks, according to Fortinet's FortiGuard Labs.
After infecting vulnerable gear to form a zombie army of IoT devices, the ShadowV2 Mirai variant allows an attacker to remotely control the network of equipment and perform large-scale attacks, including distributed-denial-of-service (DDoS) traffic-flooding events.
Luckily, the malware only remained active during the day-long outage, which also knocked major websites offline for hours.
During that time, it propagated via several vulnerabilities affecting devices from multiple vendors, including DD-WRT (CVE-2009-2765), D-Link (CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915), DigiEver (CVE-2023-52163), TBK (CVE-2024-3721), and TP-Link (CVE-2024-53375), antivirus analyst Vincent Li said in a Wednesday blog post.
While ShadowV2, a cloud-native botnet, previously targeted AWS EC2 instances in September campaigns, the more recent bot-building effort affected multiple sectors, including technology, retail and hospitality, manufacturing, managed security services providers, government, telecommunication and carrier services, and education. And it hit 28 countries: Canada, US, Mexico, Brazil, Bolivia, Chile, UK, Netherlands, Belgium, France, Czechia, Austria, Italy, Croatia, Greece, Morocco, Egypt, South Africa, Turkey, Saudi Arabia, Russia, Kazakhstan, China, Thailand, Japan, Taiwan, Philippines, and Australia.
We've asked Fortinet how many devices were infected by the botnet, and will update this story when we receive a response.
The security shop says in the blog post that the attackers exploit device vulnerabilities to drop a downloader script (binary.sh), which then delivers ShadowV2 malware using binaries prefixed "shadow" from 81[.]88[.]18[.]108.
It's similar to the LZRD Mirai variant, in that it initializes an XOR-encoded configuration and then connects to a command-and-control server to receive commands and trigger DDoS attacks.
When executing, however, it displays this string: ShadowV2 Build v1.0.0 IoT version. "Based on this string, we assess that it may be the first version of ShadowV2 developed for IoT devices," Li wrote.
While the IoT-infecting malware's only activity occurred during the AWS outage - so far - the botnet's emergence serves as a good reminder to secure IoT devices, update firmware, and monitor for unusual and spammy network traffic. Fortinet has also published a comprehensive list of indicators of compromise, so be sure to check those out to assist with the threat hunting. As Li noted, "ShadowV2 reveals that IoT devices remain a weak link in the broader cybersecurity landscape."
Shortly after ShadowV2's test run, Microsoft said Azure was hit by the "largest-ever" cloud-based DDoS attack, originating from the Aisuru botnet and measuring 15.72 terabits per second (Tbps).
The Windows giant's cloud DDoS protection service mitigated the traffic tsunami - nearly 3.64 billion packets per second - on October 24, and, according to Microsoft, no customer workloads experienced any service interruptions. ®
