CyberWire Daily - A tale of two botnets. [Research Saturday]
Episode Date: June 28, 2025This week we are joined by Kyle Lefton, Security Researcher from Akamai, who is diving into their work on "Two Botnets, One Flaw - Mirai Spreads Through Wazuh Vulnerability." Akamai researchers have o...bserved active exploitation of CVE-2025-24016, a critical RCE vulnerability in Wazuh, by two Mirai-based botnets. The campaigns highlight how quickly attackers are adapting proof-of-concept exploits to spread malware, underscoring the urgency of patching vulnerable systems. One botnet appears to target Italian-speaking users, suggesting regionally tailored operations. The research can be found here: Two Botnets, One Flaw: Mirai Spreads Through Wazuh Vulnerability Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection helps security teams uncover and automatically
remediate hidden exposures across your users from breaches, malware, and phishing to neutralize
identity-based threats like account takeover, fraud, and ransomware.
Don't let invisible threats compromise your business. Get your free corporate dark net exposure report
at spycloud.com slash cyberwire
and see what attackers already know.
That's spycloud.com slash cyberwire.
Hello everyone and welcome to the CyberWires Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities, solving some of the hard problems and protecting
ourselves in a rapidly evolving cyberspace. Thanks for joining us.
If you followed Akamai Service publications before, you might know that we run a global
network of honeypots that collect on a lot of different vulnerabilities that different
kind of botnets are targeting. These tend to be IoT devices,
but if you've been following Mirai botnets
or botnets in general for a while,
you might know that sometimes they do target vulnerabilities
for machines that are not IoT, like in this case.
That's Kyle Lefton, security researcher at Akamai.
The research we're discussing today
is titled Two Botnets, One Flaw.
Mirai spreads through Waza vulnerability.
As part, one of the things that we do in our day-to-day job
is go through our Honeypot network
and try to identify anything that stands out.
Cause we get hundreds of thousands,
if not millions of requests
coming in all the time. So it's a lot of junk to sift through sometimes. So we have certain
ways to try to look through and identify things that haven't been seen before, whether or
not that's a zero day, or it could be something like in this case, it was previously reported,
but it was not reported as being actively exploited. Nobody had written about it, and so it wasn't in CESAs
Known Exploited Vulnerabilities catalog.
And so in those cases, it's worthwhile to bring up like,
hey, we're not only just seeing one botnet exploit this,
we're seeing two different botnets exploit this.
So that's how it becomes relevant.
So we have a lot of times where we identify something
that we think is maybe interesting in there, and then we start to dive down the rabbit hole a bit
on it and then determine, oh well this this is not actually very interesting to
report on because maybe somebody else has already reported on it or maybe it
was you know erroneous piece of data that we're looking at. Well let's talk
about, let's start off with Wazoo itself.
What is it and how is it typically used
in enterprise environments?
Yeah, so very different to what we would usually report on.
Wazoo is a security, a cybersecurity platform,
open source, XDR and Seam.
So it's not, again, it's not unheard of for something separate like that to be exploited by botnet, XDR and Seam.
It's not unheard of for something separate like that
to be exploited by botnet, but it's certainly uncommon.
A lot of different enterprises use it.
I know that the company itself claims, I believe, 30 million downloads a month publicly claimed, used by a bunch of Fortune 500 companies. So it's pretty wide.
I know we found through census scans,
maybe about 5,000 publicly accessible Waza servers.
So it is fairly widely used.
I see.
A lot of this centers around a particular CVE.
This is CVE 2025-24016. Take us through what is particularly interesting about that
vulnerability.
Yeah, so basically what this CVE is, it's a remote code execution vulnerability in Wasa affecting versions 4.4.0 through 4.9.0,
with 4.9.1 being the patched version.
So it stems from an unsafe deserialization in it
through certain parameters, which we explain in the...
A bit more in-depth in the article, I won't necessarily get into that here.
So this can be exploited by threat actors, not just for botnets.
Somebody else could use that, let's say, to execute arbitrary code on your Was-It-Server,
if it is affected by this, to maybe establish backdoors or to do other nefarious things.
So it's rated pretty highly, 9.9 critical as far as a CPSS score.
So it is pretty severe if you are affected by it.
Well, walk me through how the vulnerability works here. What's the mechanism that allows
for remote code execution here?
Yeah, absolutely. So basically, there's a proof of concept actually that was written on it back in February.
So you can inject an unsanitized dictionary
into the DAPI requests, which then can lead to evaluation
of the arbitrary Python code.
So you can trigger the RCE using the run as endpoint, which enables the attacker to control the off context argument. There's a whole burps.
You could actually run this using a burps.
As an example, that was used in the proof of concept
that was initially drafted up.
So that's something that we see sometimes as well.
That's why we mention this as sometimes a double-edged sword
is that it's likely that some of these threat actors will
Observe those proof of concepts and then adopt those to their own active exploitations
Hmm now you all spotted this exploitation back in March of this year
And that was just a few weeks after the vulnerability was disclosed
Why do you suppose the response window is so short in this case?
So it could be a variety of reasons. Sometimes like in the case of some of the previous
publications like we reported on, I believe it was either the EDDIMACS one or it might have been
the, it's not digitized, I think it might have been the EDDIMACS one where we had one where there
was two CVEs exploited, one disclosed in June or July of 2024 and the next in November, but we didn't
see any exploitation until April.
So sometimes there is a longer window.
I think it definitely speeds things up.
Like in the case of this one where there was a proof of exploit or proof of concept exploit
that was published back in February.
So it makes it pretty trivial to do.
And a lot of these threat actors, you know, we've seen through, you know,
looking at their telegram chat sometimes that they pay attention to these security articles.
They pay attention to these CVEs.
They get published if it's relevant to what they're trying to do.
And so that's part of why they quickly adopt a lot of this. And the quicker, as a botnet, the quicker you adopt these into your arsenal,
the more effective it'll be because organizations, especially the large ones, can take a while to do patching.
Well, you talk about how the attackers weaponized this proof of concept.
Were there changes that you all tracked that when they
converted it to be a tool for malware delivery?
Yeah, I mean, a lot of it aligns pretty similarly to what the proof of concept is. A lot of
it is pretty typical to how they're normally exploit or send the exploit code.
So usually a lot of the chain of exploitation
with a lot of the Mirai exploits that we see
is to execute the arbitrary code,
to download and execute a shell script,
which then in turn downloads the main Mirai malware payload
to execute on the target machine.
So a lot of it is just repurposing the initial proof of concept to account for that kind of
exploitation. I see. Well your research talks about two botnets. Can we talk
about those two campaigns? You've got Mirai and then there's one that you all
are calling, I believe it's ResBot? Yeah, and also ResBot is, I'll go into both,
ResBot is just what we're calling
that specific Mirai variant.
It's all actually Mirai variants.
So the first one uses a variety of different ones.
So it uses the, the wizard variant,
which has been around for years and years.
I think the first mentions I was finding that of,
of wizard online was maybe back in 2018. So that's a source code that's been
around floating around there for quite a while. But they were using a variety of
other stuff like they were using something called Fii3G4 or we like to
dub it as Vega and then they had a what might be a modified variant of Vega,
a newer version. Vega is something that we have seen before, and I believe we've reported
on that before as well. As far as the malware itself, a lot of this is reused source code.
A lot of these don't really change super significantly
between each other, at least for the ones that we saw.
So a lot of it is kind of just the distinction
of it's different people operating
some of these botnets.
Because a lot of it is just reused code from people.
So with the resbot, they weren't using
as many different variants. We just saw the one
variant that we just stepped as us res bot based on the strings and based on the
c2 domains that they were using. That one was a little bit interesting in the sense that
they had a bunch of c2 domains that were appearing to potentially target italian speaking users,
which is something that we haven't really seen much before. for appearing to potentially target Italian speaking users,
which is something that we haven't really seen much before.
So we don't really know the exact motive behind that.
We can maybe speculate on some of the reasons.
One of my theories perhaps is that if they're targeting Italian speaking users that the domains are perhaps made to look like some kind of legitimate
Italian domain.
So then if network defenders for machines that they're targeting go through to look
at their network logs and they see this, maybe their alarm bells don't go off because they
might see that as more legitimate perhaps is one of my theories.
But it is unusual activity.
We'll be right back.
Risk and compliance shouldn't slow your business down.
Piper Proof helps you automate controls, integrate real-time risk workflows,
and build a centralized system of trust so your teams can focus on growth, not spreadsheets.
From faster audits to stronger stakeholder confidence, HyperProof gives you the business
advantage of smarter compliance. Visit www.hyperproof.io to see how leading teams are transforming their GRC programs.
Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now, and I'm just as impressed today as I was when I signed up.
Delete Me keeps finding and removing my personal information from data broker sites and they
keep me updated with detailed reports so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The Delete Me team handles everything. It's the set it and forget it piece of mind.
And it's not just for individuals. Delete Me also offers solutions for businesses,
helping companies protect their employees' personal information
and reduce exposure to social engineering and phishing threats.
And right now, our listeners get a special deal, 20% off your Delete Me plan.
Just go to JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Let's talk about the malicious infrastructure.
The research talks about some of the key indicators of compromise that you all were tracking here.
Can you take us through that?
Yeah, absolutely.
So a lot of the stuff we focus on as far as indicators of compromise,
of course you have your IPs, your domains, your hashes.
I like to do a lot of pivots off of IOCs.
So I mentioned that in ResBot for example.
You take one domain or you take another IP
that's whether it's a C2 or not.
You could use various tools, some proprietary, some more open source like VirusTotal, pivot
off of those and see what overlaps as far as connections to that.
For example, with domain names, if you have the log data for it of, hey,
you have these IP addresses that match two different domain
names, and these IP addresses are not
like Cloudflare or something, or some big hosting provider that
hosts thousands of other websites on that same IP,
and they're all shifting to different
Domains that look suspicious all at the same time the same dates and then all of those
domains are in turn popping up positive for
You know the same Mariah Mauer basically then that builds up a stronger case that these are all connected
so I like going through and
Building out the broader infrastructure through pivoting through a lot of those network-based indicators there.
And so that's a lot of how we got through to map out some of this infrastructure as
well as then, of course, verifying through the malware itself and then through our own
honeypots as well.
I see.
Can you tell us a little bit more
about your own efforts there?
I mean, is it the kind of thing where after a while
you kind of have your own sense about it,
where you can kind of figure if you're on the right path
and not going down a blind alley?
Yeah, sure.
I mean, I've had plenty of times
where I've gone down the wrong alley with something.
Yeah.
So I think with going through this stuff, you start to pick up, you know, the more you
do it, you start to learn what you would determine as, hey, high confidence as far as linking
something if you're pivoting through something or if you're looking through, I don't know, honeypots.
Like, I've gotten to recognize different kinds of strings
or different kinds of, like, URIs coming through as far
as web requests as what we've seen or not seen.
So I could look at something I might not
be able to remember off the top of my head,
the specific CDE number for something.
But I could say, hey, maybe this is a Huawei router exploit.
Or at the very least say, hey, this is something that we've seen before.
And I can just filter that out to not get that kind of junk in there.
Or maybe you're going through and analyzing a Mirai malware sample.
And you can determine, hey, well, this, a lot of the code in here,
a lot of the attack commands are something
that we've seen before, and it's not anything
that particularly sticks out.
And so once you get to that point,
it definitely helps with investigations
because it helps save a lot of time
that could otherwise be spent going down
this big rabbit hole and not yield much useful information.
Yeah, I mean, it's a really interesting insight,
and I guess it speaks to that notion that there's no substitute for experience, right?
Yeah, absolutely. I know a lot of people, you know, a little bit of a separate topic, I suppose,
but a lot of people have talked little bit of a separate topic, I suppose, but a lot of people have talked about AI
and the advancement of that and how that would affect
even in the security industry,
as far as replacing a lot of these tasks.
And I think AI can be used a lot to assist in these places,
but at the moment, it doesn't usually have the kind of
knowledge or context to go through and recognize and
Impart through all this stuff like a an analyst would at this point. Yeah
Well, let's talk about defense and mitigation here
I mean, what are your recommendations for defenders out there if they think this is something that they should have their eye on?
Yes, so I mean
Aside from the obvious,
which is patch your systems,
I think that's the most important.
Always will stress that.
I would say with this too is make sure,
if your systems, if you're running Wasa or Wazoo,
don't have your servers publicly accessible
on the internet unless there's some other kind of filters
to it or good reason.
A lot of this will affect the API.
So make sure API is locked down.
There's, I know that we identified, I think,
yeah, 5,000 or over 5,000 servers
that were publicly accessible that were running Wazoo
through just census queries.
So if you don't have any reasonable need
to be publicly accessible on the internet,
it's best to just cordon that off.
And then of course, in lieu of that,
pass your systems as well.
I'm curious, from your perspective, balancing the need for transparency through
things like public proof of concepts, but then on the flip side of that, you have the
risk of rapid weaponization, which we kind of saw here.
How do you balance those two needs of the security community?
I think that's a great question.
I think that's a tricky one.
Cause yeah, I mean, we've detailed that a bit in our article
that it's a little bit of a double-edged sword.
It helps people identify and analyze the vulnerability
in their own configurations, in their own organization
to try to mitigate things better and be more aware of it but then yes as you say it can allow for rapid rapid weaponization adoption.
I suppose there could you could have other alternatives such as having organizations be part of some trusted partnership group.
membership group and distribute things like exploit code for proof of concepts within those trusted circles rather than having those publicly accessible on the internet.
I suppose you could make an argument for that, which would provide a lot of the same purpose
but help mitigate that.
Of course, the issue you have with that is, you know, maybe certain smaller organizations
can't get access to that and then it would become, you know,
this inside club, so to speak.
So that was, that's just kind of an idea, I suppose.
I think overall the whole CDE program
does more good than harm.
And I think it's necessary to have at this point.
But yeah, there's definitely some downsides to it.
And there could be a
discussion as far as what proof of concepts, how necessary are they, or should they be
as public as they are? I don't really know the answer to that myself. So it's definitely
a trend that's been going on. And I expect that trend to continue. Our thanks to Kyle Leften from Akamai for joining us.
The research is titled, Two Botnets, One Flaw.
Mirai Spreads Through Waza Vulnerability.
We'll have a link in the show notes.
And that's Research Saturday brought to you by N2K CyberWire.
We'd love to hear from you.
We're conducting our annual audience survey to learn more about our listeners.
We're collecting your insights through the end of this summer.
There's a link in the show notes.
Please do check it out.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltsman and Trey Hester.
Our executive producer is Jennifer Ibane. Peter Kilpey is our publisher. And I'm Dave Bittner. Liz Stokes, we're mixed by Elliot Peltsman and Trey Hester, our executive producers Jennifer
Iben, Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening, we'll see you back here, next time.