Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Aquabot variant v3 targets Mitel SIP phones

A new variant of the Mirai-based botnet Aquabot targets vulnerable Mitel SIP phones to recruit them into a DDoS botnet. Akamai researchers spotted a new variant of the Mirai-based botnet Aquabot that is targeting vulnerable Mitel SIP phones. Aquabot is a Mirai-based botnet designed for DDoS attacks. Named after the “Aqua” filename, it was first […]

aquabot botnet

A new variant of the Mirai-based botnet Aquabot targets vulnerable Mitel SIP phones to recruit them into a DDoS botnet.

Akamai researchers spotted a new variant of the Mirai-based botnet Aquabot that is targeting vulnerable Mitel SIP phones.

Aquabot is a Mirai-based botnet designed for DDoS attacks. Named after the “Aqua” filename, it was first reported in November 2023.

As this is the third distinct iteration of Aquabot, Akamai tracked this variant as Aquabotv3. The bot targets the command injection vulnerability CVE-2024-41710 that impacts Mitel models.

“This third iteration adds a novel activity for a Mirai-based botnet: C2 communication when the botnet catches certain signals.” reads the report published by Akamai. “This, and other notable differences in functionality, separate the two versions significantly, supporting the distinction of a third variant.”

The malware targets the flaw CVE-2024-41710 that affects Mitel 6800, 6900, and 6900w series SIP phones, including the 6970 Conference Unit through R6.4.0.HF1 (R6.4.0.136).

In mid-July 2024, Mitel addressed the vulnerability with the release of firmware updates. The vendor warned that the exploitation of the flaw “could allow an authenticated attacker with administrative privilege to conduct a command injection attack due to insufficient parameter sanitization during the boot process”.

A month later, the PacketLabs researcher Kyle Burns published a PoC exploit code for the vulnerability CVE-2024-41710.

Akamai states that there are not report of attacks exploiting this vulnerability in the wild prior to the SIRT’s observations in January 2025.

“The exploit proof of concept (PoC) shows us that an attacker could smuggle in entries otherwise blocked by the application’s sanitization checks by sending a specially crafted HTTP POST request.” continues the report. “In his GitHub README, Burns reported that he found that the Mitel 6869i SIP phone, firmware version 6.3.0.1020, failed to sanitize user-supplied input properly, and he found multiple endpoints vulnerable to this. For the PoC, he focused on the endpoint “802.1x Support” (8021xsupport.html).”

This malware exhibits a unique behavior for a Mirai variant, it includes a function (report_kill) that reports to the command and control server when a kill signal is detected on the infected device.

aquabot botnet

Like other botnets, Aquabot v3 targets additional vulnerabilities in various products, including Hadoop YARN, the Roxy-WI web interface, and routers from Linksys, Teltonika, Dasan GPON, and LB-LINK.

The threat actors behind Aquabot have been advertising it as a DDoS-as-a-service on platforms like Telegram under various misleading names, such as Cursinq Firewall and The Eye Botnet. They often claim it is for DDoS mitigation testing, but experts pointed out that it spreads Mirai malware and is used for real attacks.

“In the case of Aquabot, the core malware is the same as Mirai but the signal handling is particularly unique. Unique, however, is not always the most useful — this malware was not particularly quiet, which could be to its detriment.” concludes the report that includes Indicators of Compromise (IoCs).

“The reason for the unique signal handling could be that the threat actor is intentionally observing a machine’s defensive activity to develop more stealthy variants in the future. It could also be used to detect active disruption/attacks from competing botnets or ethical take down campaigns, or any combination thereof.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Mirai)