F5 Networks researchers have detected a new variant of the “Echobot” malware, now consisting of 71 exploits. The authors continue to follow the trend of arming the malware and for the threat group to expand its operation. These newly added exploits target both old and new vulnerabilities, adding as new ones target industrial control system devices from Mitsubishi, Barracuda web app firewall, Citrix NetScaler application delivery controllers, video conferencing systems, and additional network and endpoint administration tools.
Earlier this year, Palo Alto Networks1 reported a new variant from the Mirai malware family, dubbed “Echobot” after the dropped file name of the malware. Initial versions of the malware used 26 exploits to propagate itself. Later in August of 2019 it was reported2 to go over 50 exploits. So at 71 we are seeing substantial growth in Echobot’s attack capability.
Although the core malware functionality of this latest variant hasn’t changed much since inception, the addition of a variety of new exploits puts new systems into its crosshairs.
While most of the Mirai variants target IoT devices, such as home routers and IP cameras, this version of Echobot adds an outstanding exploit for CVE-2019-14927, which targets Mitsubishi Electric‘s Remote Terminal Unit (RTU).
The Mitsubishi RTU3 is an industrial controller with remote access to communicate with SCADA systems in the oil and gas industry, power industry, and others. Industrial control systems have seen an increase in attacks over the past years4, including some chilling suggestions of possible cyber-terrorism attacks5. However, it is uncommon for general-purpose botnets like Mirai to include exploits targeting a specific component such as the Mitsubishi RTU. Figure 1 below shows the product web page for the Mitsubishi smartRTU. While industrial controller systems are essential components responsible for running critical infrastructure, they were never designed to be Internet-connected and are therefore notoriously known for security-related flaws. Echobot leverages that weakness, making it more dangerous than before.