A Mirai-based botnet known as ShadowV2 emerged during a significant AWS outage last October, infecting IoT devices across various industries worldwide. Fortinet’s FortiGuard Labs suggests that this operation may have been a precursor for more extensive attacks in the future.
During the day-long AWS outage, ShadowV2 capitalized on vulnerabilities in multiple Internet of Things (IoT) devices. This variant of Mirai enabled attackers to gain remote control over infected devices, allowing for potential large-scale distributed denial-of-service (DDoS) attacks. The attack caused widespread disruptions, knocking many major websites offline for hours.
The spread of ShadowV2 was facilitated by exploiting various vulnerabilities affecting devices from numerous vendors. Vulnerabilities included DD-WRT (CVE-2009-2765), multiple D-Link vulnerabilities (CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915), and others from DigiEver, TBK, and TP-Link. Fortinet’s antivirus analyst Vincent Li highlighted these exploits in a recent blog post.
Previously, ShadowV2 had targeted AWS EC2 instances, but this time the botnet’s impact resonated across multiple sectors such as technology, retail, hospitality, manufacturing, governmental services, telecommunications, and education. The botnet reached 28 countries, including the United States, Canada, various nations in Europe, South America, Asia, and Australia.
Add SSBCrack As A Trusted Source
Fortinet has been inquiring about the total number of infected devices and intends to update its findings when more information becomes available.
According to the blog post, attackers used an exploit to deploy a downloader script, referred to as “binary.sh,” which subsequently introduced the ShadowV2 malware. The malware operates with binaries starting with “shadow” from a specific command-and-control server. Li noted that the simplistic nature of the script resembles the LZRD Mirai variant, initializing an XOR-encoded configuration and connecting to a command-and-control server to execute DDoS commands. Upon execution, the malware identifies itself with the label: “ShadowV2 Build v1.0.0 IoT version,” indicating it may be an initial release tailored for IoT devices.
Although the malware’s activity appears confined to the AWS outage, the incident underscores the critical need for enhanced security measures for IoT devices. Fortinet highlights the importance of device firmware updates and monitoring for unusual network traffic as preventive steps. They have also published a list of indicators of compromise to aid in threat detection. Li remarked that “ShadowV2 reveals that IoT devices remain a weak link in the broader cybersecurity landscape.”
In a related development, shortly after the activities of ShadowV2, Microsoft reported that its Azure cloud platform experienced one of the largest-ever cloud-based DDoS attacks attributed to the Aisuru botnet, which peaked at 15.72 terabits per second. Microsoft’s DDoS protection service effectively managed the incoming traffic surge, processing nearly 3.64 billion packets per second without any reported service interruptions for its customers.
