U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

New Mirai variant ShadowV2 tests IoT exploits amid AWS disruption

ShadowV2, a new Mirai-based botnet, briefly targeted vulnerable IoT devices during October’s AWS outage, likely as a test run. During the late-October AWS disruption, FortiGuard Labs researchers observed the Mirai-based ‘ShadowV2’ malware exploiting IoT vulnerabilities across multiple countries and industries. The botnet was active only during the outage, suggesting a test run for future attacks. […]

ShadowV2 botnet

ShadowV2, a new Mirai-based botnet, briefly targeted vulnerable IoT devices during October’s AWS outage, likely as a test run.

During the late-October AWS disruption, FortiGuard Labs researchers observed the Mirai-based ‘ShadowV2’ malware exploiting IoT vulnerabilities across multiple countries and industries. The botnet was active only during the outage, suggesting a test run for future attacks. ShadowV2 targets IoT devices using flaws in products from DDWRT (CVE-2009-2765), D-Link (CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915), DigiEver (CVE-2023-52163), TBK (CVE-2024-3721), TP-Link (CVE-2024-53375).

The bot targeted devices in multiple countries worldwide, including:

  • Oceania: Australia
  • America: Canada, United States, Mexico, Brazil, Bolivia, Chile
  • Europe: United Kingdom, Netherlands, Belgium, France, Czechia, Austria, Italy, Croatia, Greece
  • Africa: Morocco, Egypt, South Africa
  • Asia: Turkey, Saudi Arabia, Russia, Kazakhstan, China, Thailand, Japan, Taiwan, Philippines

Fortinet reported victims in multiple industries, including technology, retail and hospitality, manufacturing, managed security services providers,  government, telecommunication and carrier services, and education.

ShadowV2 spreads through multiple IoT vulnerabilities, dropping the downloader script binary.sh from 81[.]88[.]18[.]108.

The malware resembles the Mirai LZRD variant, decoding its configuration with XOR key 0x22 and loading paths, headers, and User-Agent strings. After resolving its C2 domain, it connects to 81[.]88[.]18[.]108 and identifies itself as ShadowV2 Build v1.0.0 for IoT. It then initializes a wide range of UDP, TCP, and HTTP flood methods, waits for C2 commands, and launches DDoS attacks based on received parameters.

“ShadowV2 supports two transport-layer protocols (UDP and TCP) and the HTTP application protocol. Implemented attack methods including UDP floods, several TCP-based floods, and HTTP-level floods. The malware maps these behaviors to internal function names, such as UDP, UDP Plain, UDP Generic, UDP Custom, TCP, TCP SYN, TCP Generic, TCP ACK, TCP ACK STOMP, and HTTP.” reads the report published by Fortinet. “It listens for commands from its C2  server and triggers DDoS attacks using the corresponding attack method ID and parameters.”

ShadowV2 shows that IoT devices are still a major security weak point. Its evolution signals that threat actors are increasingly focusing on IoT environments.

“The evolution of ShadowV2 suggests a strategic shift in the targeting behavior of threat actors toward IoT environments.” concludes the report. “This underscores the importance of maintaining timely firmware updates, enforcing robust security practices, and continuously monitoring relevant threat intelligence to strengthen overall situational awareness and ensure ecosystem resilience.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ShadowV2 botnet)