Beware the Bot: Singapore’s CSA Sounds Alarm on Mirai Threat to Smart Devices and Industrial Routers

The Cyber Security Agency of Singapore (CSA) has responded to reports regarding an active Mirai-based botnet operation that exploits security vulnerabilities in industrial routers and smart home devices using zero-day exploits. The primary aim of this campaign is to execute distributed denial-of-service (DDoS) attacks against targets exposed to the internet for financial gain. The Mirai botnet spreads across devices connected to the internet by utilizing a mix of public and private exploits that take advantage of existing vulnerabilities. Its main targets include Digital Video Recorders (DVRs), routers for industrial and home use, along with smart home appliances.

CSA has recognized that the following categories of devices have been identified as targets of the Mirai botnet: ASUS routers, Huawei routers, Neterbit routers, LB-Link routers, Four-Faith industrial routers, PZT cameras, Kguard DVR, Lilin DVR, generic DVRs, Vimar smart devices, and various 5G/LTE equipment.

“Updating your vulnerable internet-connected devices is vital to maintain the integrity of your system or network,” the CSA stated in its advisory released on Friday. “This action helps to secure the data contained within and ensures that the internet-enabled device does not unintentionally become a component of a malicious botnet used to target other devices.”

Users and administrators are encouraged to frequently check for software updates and apply them without delay; disable remote access to internet-connected devices such as cameras and printers whenever feasible; modify default credentials to include a blend of uppercase and lowercase letters, numbers, and symbols totaling at least 12 characters; and perform security scans on their network to identify potential vulnerabilities.

Earlier this month, Moxa revealed that its cellular routers, secure routers, and network security devices are vulnerable due to two significant security flaws. The privilege escalation and OS command injection vulnerabilities pose a major security risk, given their high severity. Moxa has developed suitable patches to rectify these issues.

In September of last year, the National Security Agency (NSA), in cooperation with the Federal Bureau of Investigation (FBI), the U.S. Cyber Command’s Cyber National Mission Force (CNMF), and international partners, concluded that cyber actors associated with the People’s Republic of China (PRC) had established a network of compromised nodes, referred to as a ‘botnet,’ aimed at engaging in malicious conduct. Utilizing these botnets, the hackers compromised thousands of internet-connected devices, including small office/home office (SOHO) routers, firewalls, network-attached storage (NAS), and Internet of Things (IoT) devices. These hackers presumably used the botnet to obscure their identities while executing DDoS attacks or infiltrating U.S. networks.

The advisory pointed out that the botnet relies on the Mirai suite of malware, designed to commandeer IoT devices such as webcams, DVRs, IP cameras, and routers operating on Linux-based systems. The source code for Mirai was made publicly available on the Internet in 2016, leading to other hackers developing their own botnets based on this malware. Since then, various Mirai botnets have been employed to carry out DDoS attacks and other harmful activities against entities within the U.S.

In December, a VulnCheck report revealed a new post-authentication vulnerability impacting Four-Faith industrial routers that is currently being exploited in real-world scenarios. The attacker exploited the router’s default credentials, which allowed for unauthenticated remote command execution. VulnCheck has assigned this vulnerability CVE-2024-12856 with a CVSS rating of 7.2. The Four-Faith router models F3x24 and F3x36 are at risk due to an operating system (OS) command injection vulnerability.

Singapore’s CSA unveiled its revised OT Masterplan 2024 during the fourth Singapore Operational Technology Cybersecurity Expert Panel (OTCEP) Forum last August. This document delineates initiatives aimed at enhancing technical cybersecurity capabilities within the OT (operational technology) sector, with the goal of bolstering defenses against escalating threats. It serves as a strategic framework to enhance cybersecurity resilience for both critical and non-critical OT sectors.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with more than 14 years of expertise in the fields of security, data storage, virtualization, and IoT.