Zerobot, a botnet that infects various Internet of Things (IoT) devices and uses them for distributed denial of service (DDoS) attacks, has been updated with new features and new infection mechanisms.
AND report (opens in a new tab) from the Microsoft security team claims that the malware used to integrate IoT devices with the botnet has reached version 1.1.
With this update, Zerobot can now exploit vulnerabilities discovered in Apache and Apache Spark to compromise various endpoints and then exploit them in attacks. The vulnerabilities used to deploy Zerobot are tracked as CVE-2021-42013 and CVE-2022-33891.
Apache bug abuse
CVE-2021-42013 is actually an update to the previous patch, designed to patch the CVE-2021-41773 vulnerability in Apache HTTP Server 2.4.50.
Since the latter was insufficient, it allowed cybercriminals to use a path traversal attack to map URLs to files outside of directories configured with alias-like directives, cve.mitre.org explains. “If files outside of these directories are not protected by the usual default ‘require all denied’ configuration, these requests may succeed. If CGI scripting is also enabled for these aliased paths, this may allow remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50, not earlier versions.”
On the other hand, the CVE-2022-33891 vulnerability affects the Apache Spark user interface and allows attackers to perform attacks impersonating the user by supplying any username, and ultimately allows attackers to run arbitrary shell commands. This includes Apache Spark 3.0.3 and earlier, 3.1.1 to 3.1.2, and 3.2.0 to 3.2.1, explained cve.mitre.org.
Microsoft explained that the new version of Zerobot also includes new DDoS attack capabilities. These capabilities allow cybercriminals to attack various resources and prevent their access. The report states that in almost every attack, the target port is customizable, allowing attackers who have purchased the malware to modify the attack as they see fit.