VMware and F5 BIG-IP flaws are being exploited by EnemyBot

EnemyBot, a botnet derived from many pieces of malware codes, extends its overall reach by rapidly incorporating exploits for previously detected severe vulnerabilities in web servers, content management systems, IoT, and Android devices

When Fortinet released an analysis of fresh samples by April, it had already included weaknesses for over a dozen processor architectures. Its primary goal is to perform distributed denial-of-service (DDoS) attacks, including modules that scan for and infect new target devices. 

According to a recent analysis from AT&T Alien Labs, the latest EnemyBot versions have exploits for 24 flaws.

What has been discovered?

Recently, the latest variants of EnemyBot were found adding exploits for 24 vulnerabilities, along with other enhancements.

• The botnet has added flaws for more than a dozen processor architectures such as ARM, x86, OpenBSD, macOS, PowerPC, and MIPS.
• Additionally, it is suspected to have some strong correlation with the LolFMe botnet in terms of having similar strings, structure, and patterns in the code.

The DDoS botnet targeted several routers and web servers by exploiting known vulnerabilities. It targets multiple architectures, including arm, bsd, x64, and x86. Moreover, it is operated by a group named Keksec, which seems to be expanding its botnet network.

Once a vulnerability has been successfully exploited, the malware runs a shell command to download a shell script from a URL that is dynamically updated by the C&C. The script is responsible for downloading the actual Enemybot binary compiled for the target device’s architecture.

Finally after a successful infection, the malware connects to its C&C server and awaits instructions. Based on received commands, it can perform DNS amplification attacks and various types of DDoS assaults, sniff traffic, and spread to other devices via brute force attacks.

Exploited flaws – EnemyBot

The analysis of the new variant of EnemyBot by AT&T Alien Labs disclosed information regarding the exploited flaws:

• CVE-2022-22954: A remote code execution flaw in VMware Workspace ONE Access and Identity Manager.
• CVE-2022-22947: A remote code execution flaw in Spring, fixed in March 2022, and targeted throughout April.
• CVE-2022-1388: A remote code execution flaw in  F5 BIG-IP that leads to device takeover.
• Other targeted flaws include vulnerabilities associated with routers and IoT devices such as CVE-2022-27226 (iRZ), CVE-2022-25075 (TOTOLINK), and the infamous Log4Shell vulnerability.

Mitigation for EnemyBot

• Ensure systems are fully patched and not vulnerable to RCE
• Patch IoT devices’ firmware to the latest versions to mitigate external exploitation
• Employ the usage of layer-7 network monitoring and detection to detect common exploits that may leverage RCE
• Ensure that externally exposed network segments are isolated from internal hosts
• Disable or limit execution from linux /tmp/ directories

IOCs