Attackers have developed the Mozi botnet so that the malware can achieve persistence on routers and network gateways.
Mozi is a peer-to-peer botnet, active for two years since 2019, that spreads to IoT devices by using known vulnerabilities and weak (default) Telnet passwords.
Infected devices have typically been used as a platform to launch denial of service attacks or send spam.
The malware spreads across devices including digital video recorders and networking equipment.
Security researchers at Microsoft warn that Recent changes have allowed the malware to achieve persistent infection on networking gateways made by Netgear, Huawei, and ZTE.
Tailored or be-spoke techniques are used in each case to achieve persistence such that infections persist after device reboots, as part of development to the malware that serve to make it a more potent threat, particularly to industrial control systems.
Microsoft security threat researchers warn: “Adversaries can search the internet for vulnerable devices via scanning tools like Shodan, infect them, perform reconnaissance, and then move laterally to compromise higher value targets – including information systems and critical industrial control system (ICS) devices in the operational technology (OT) networks.”
Infecting routers offers attackers a foothold on enterprise or OT networks that can be used to penetrate more deeply into targeted networks. The approach can be used to plant ransomware or even sabotage component systems in industrial plants.
By infecting routers, they can perform man[ipulator]-in-the-middle (MitM) attacks via HTTP hijacking and DNS spoofing to compromise endpoints and deploy ransomware or cause safety incidents in OT facilities,” the Microsoft researchers warn in a recent blog post on proactive defences.
The post goes on to offer additional detail of an infection chain associated with the malware as well as proactive defence on how enterprises can harden systems against attack.
Defences involve measures such as following password security best practices and ensuring devices are patched and up-to-date.