Zerobot botnet upgrade targets unpatched Apache servers

Zerobot, an “internet of things” botnet discovered earlier this year, has been updated with additional features, including the ability to target vulnerabilities on unpatched Apache servers.

As detailed Wednesday by researchers at Microsoft Corp.’s Security Threat Intelligence team, Zerobot is a Go-based botnet that primarily spreads through IoT and web application vulnerabilities. Zerobot is offered as part of a malware-as-a-service scheme. One domain with links to the bot was seized by the U.S. Federal Bureau of Investigation on Dec. 14.

The new version, dubbed Zerobot 1.1, has increased capabilities, including new attack methods and exploits for support architectures, expanding its reach to different types of devices, Apache servers notable among them.

Zerobot 1.1 targets vulnerabilities in Apache and Apache Spark, CVE-2021-42013 and CVE-2022-33891, respectively. Added features include the ability to target vulnerabilities in the MiniDVBLinux DVR systems, Grandstream networking systems and Roxy-WI GUI.

Upon gaining device access, Zerobot injects a malicious payload that then attempts to download several binaries to identify the architecture by brute force. Depending on the operating system, the botnet has various persistence mechanisms that are used to maintain access to infected devices. It’s noted that although Zerobot is unable to spread on Windows machines, several examples can run on Windows.

The new version of Zerobot also has additional distributed denial-of-service attack capabilities, including functions that allow the threat actors to target resources and make them inaccessible. Successful Zerobot DDOS attacks can be used to extort ransom payments, distract from other malicious activity, or disrupt operations.

“Zerobot (and other methods of forming botnet armies) is about as serious as it gets.” Bud Broomhead, chief executive officer at IoT cyber hygiene company Viakoo Inc., told SiliconANGLE. “Threat actors gain not just one foothold in your network but thousands of them when IoT and operational-technology devices are infected.”

Broomhead noted that the number of DDoS attacks is increasing in size, frequency and duration thanks to the spread of bots such as Zerobot that have mainly been unchecked.

“Threat actors will always go to where defenses are weakest and the potential for exploits is highest – and that’s exactly what IoT and OT devices offer today,” Broomhead explained. “Many cyber defenses rely on agent-based technology to protect IT systems. IoT/OT devices can’t accept agents, making IT-oriented solutions ineffective in stopping threats like Zerobot.”

Broomhead recommends that security teams should at least be using an agentless asset discovery solution so they know what assets can be compromised. Security teams should monitor devices for changes in how they function, such as increased network traffic from them, use of onboard memory, or unusual CPU usage. In addition, security teams need to stay on top of IoT/OT device firmware updates and password rotations by using an automated and agentless IoT security platform.

Image: Needpix