New Mirai Botnet Hijacks 15,000 Industrial Routers in Global DDoS Campaign

New Mirai Botnet Hijacks 15,000 Industrial Routers in Global DDoS Campaign

Mirai Botnet Variant Targets Industrial Routers in Global DDoS Campaign

A new variant of the Mirai botnet, dubbed “gayfemboy,” has been actively exploiting vulnerabilities in Four-Faith industrial routers since November 2024. The botnet maintains approximately 15,000 daily active IP addresses, primarily affecting devices in China, Iran, Russia, Turkey, and the United States.

The malware, active since February 2024, exploits over 20 known security vulnerabilities and weak Telnet credentials. Most notably, it leverages CVE-2024-12856, a critical vulnerability in Four-Faith F3x24 and F3x36 router models that allows OS command injection through default credentials.

Key Features and Impact:
– Targets multiple CVEs, including CVE-2013-3307 through CVE-2024-8957
– Implements Mirai-based command structure for device scanning and DDoS attacks
– Generates traffic up to 100 Gbps in short 10-30 second bursts
– Attacks hundreds of different entities daily
– Peak activity observed in October-November 2024

Recent related incidents include attacks on Juniper Networks’ Session Smart Router products and DigiEver DVRs using similar Mirai variants. Security researchers at QiAnXin XLab emphasize that DDoS attacks continue to evolve as a significant threat to enterprises, government organizations, and individual users, with increasingly diverse attack modes and concealed attack paths.

The threat also coincides with cryptocurrency mining campaigns targeting vulnerable PHP servers through CVE-2024-4577 to deploy PacketCrypt miners.

Share This Article