ShadowV2 Botnet Exploited AWS Outage in Malware Test
▼ Summary
– ShadowV2 is a new Mirai-based botnet targeting IoT devices from D-Link, TP-Link, and other vendors by exploiting known vulnerabilities.
– The botnet was active only during the October AWS outage, suggesting it may have been a test run, though unrelated to the outage.
– It spreads by exploiting at least eight vulnerabilities, including CVE-2024-10914 and CVE-2024-10915, which D-Link will not fix for end-of-life devices.
– ShadowV2 supports DDoS attacks on UDP, TCP, and HTTP protocols and uses a downloader script to infect devices globally across multiple sectors.
– The malware’s operators and monetization strategy are unknown, and Fortinet has shared indicators of compromise to help detect the threat.
A newly identified botnet known as ShadowV2, which builds upon the notorious Mirai framework, has been actively compromising Internet of Things devices from manufacturers such as D-Link and TP-Link. Security analysts from Fortinet’s FortiGuard Labs detected the malware during the widespread AWS service disruption that occurred in October. While the botnet’s activity was not responsible for the cloud outage, its brief operation throughout that period suggests the attackers may have been conducting a live test of their capabilities.
This malicious software spreads by exploiting eight security flaws found across a range of IoT products. Among the listed issues is DD-WRT (CVE-2009-2765), but two recent vulnerabilities have drawn the most attention.
CVE-2024-10914 is a command injection flaw already being abused in end-of-life D-Link devices. The company has confirmed it will not release a patch for the affected hardware. CVE-2024-10915, highlighted in a NetSecFish report in November 2024, met a similar fate. After inquiries, D-Link verified that certain models will remain unpatched. The company then updated an older security bulletin to include the new CVE and issued an advisory linked to the ShadowV2 campaign, reiterating that unsupported products no longer receive firmware updates.
By contrast, CVE-2024-53375, disclosed around the same period, has reportedly been addressed with a beta firmware release.
The investigation into ShadowV2 traced the attacks to the IP address 198.199.72.27, with activity centered on routers, network-attached storage units, and digital video recorders. Multiple industries were in the crosshairs, including government, technology, manufacturing, managed security service providers, telecommunications, and education. The operation spanned every major region: North and South America, Europe, Africa, Asia, and Australia.
Inside the malware’s code, the identifier “ShadowV2 Build v1.0.0 IoT version” appears, showing clear links to the Mirai LZRD strain. Infections begin with a downloader script named binary.sh, which pulls the main payload from a server at 81.88.18.108. Configuration data is XOR-encoded and covers filesystem paths, User-Agent strings, HTTP headers, and other elements typical of Mirai variants.
Once deployed, ShadowV2 can launch distributed denial-of-service attacks across UDP, TCP, and HTTP, offering several flooding methods for each protocol. These operations are coordinated through a command-and-control server that issues instructions to compromised devices.
Like many DDoS-focused botnets, operators can profit by renting out attack bandwidth or by pressuring victims to pay for relief. The group behind ShadowV2 has yet to be identified, and its financial motives remain unclear. Fortinet has released indicators of compromise to help organizations detect the malware and stressed the urgency of keeping IoT firmware updated to reduce exposure.
(Source: Bleeping Computer)
