New Aquabot Variant Exploiting Mitel SIP Phones via CVE-2024-41710

by | Jan 30, 2025 | News

New Aquabot Variant Exploiting Mitel SIP Phones via CVE-2024-41710

Post Views: 27




Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon
Reading Time: 3 Minutes

A new Mirai-based botnet malware variant, Aquabotv3, has been observed actively exploiting CVE-2024-41710, a command injection vulnerability in Mitel SIP phones. This latest attack campaign was discovered by Akamai’s Security Intelligence and Response Team (SIRT), which reports that Aquabotv3 is the third known iteration of the Aquabot malware family.

Evolution of Aquabot

Aquabot first emerged in 2023, with a second variant introducing persistence mechanisms shortly afterward. The latest version, Aquabotv3, brings a new feature that detects process termination attempts and reports them to the command-and-control (C2) server.

Akamai notes that this capability is unusual for botnets, suggesting that Aquabotv3’s operators may be using it to monitor and counteract interference from security tools.

Reporting process kill attempts to the C2Reporting process kill attempts to the C2
Source: Akamai

Targeting Mitel SIP Phones

Aquabotv3 is exploiting CVE-2024-41710, a command injection vulnerability affecting:

  • Mitel 6800 Series SIP Phones
  • Mitel 6900 Series SIP Phones
  • Mitel 6900w Series SIP Phones

These devices are widely used in corporate offices, enterprises, government agencies, hospitals, educational institutions, hotels, and financial institutions.

The vulnerability is rated medium severity and allows an authenticated attacker with admin privileges to execute arbitrary commands via argument injection during the boot process.

Exploitation of CVE-2024-41710

  • Mitel released patches and a security advisory on July 17, 2024, urging users to update.
  • Two weeks later, security researcher Kyle Burns published a proof-of-concept (PoC) exploit on GitHub.
  • Aquabotv3 is the first documented malware leveraging this PoC exploit in active attacks.

“Akamai SIRT detected exploit attempts targeting this vulnerability through our global network of honeypots in early January 2025 using a payload almost identical to the PoC,” Akamai researchers stated.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses




Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

How the Attack Works

  1. Brute-force login attempts: Since authentication is required, Aquabotv3 likely uses brute-force attacks to gain admin access.
  2. HTTP POST request to 8021xsupport.html: Attackers send malicious data to this endpoint, which manages 802.1x authentication settings on Mitel SIP phones.
  3. Injection of malicious configuration: Attackers manipulate the phone’s local configuration file (/nvdata/etc/local.cfg) by inserting malformed data.
  4. Execution during boot: By injecting line-ending characters (%dt → %0d), the attackers modify how the device parses configuration data, allowing execution of a remote shell script (bin.sh).
  5. Malware deployment: The script downloads and installs Aquabotv3, adapts to the target device’s architecture (x86, ARM, MIPS, etc.), and grants itself execution permissions (chmod 777) before erasing traces.

Aquabotv3’s Propagation and Capabilities

Once installed, Aquabotv3:

  • Establishes a TCP connection to its C2 server for receiving commands and updates.
  • Attempts to spread laterally by exploiting other known vulnerabilities, including:
    • CVE-2018-17532 (TP-Link)
    • CVE-2023-26801 (IoT firmware RCE)
    • CVE-2022-31137 (Web App RCE)
    • Linksys E-series RCE
    • Hadoop YARN
    • CVE-2018-10562 / CVE-2018-10561 (Dasan router bugs)
  • Uses brute-force attacks to compromise weak SSH/Telnet credentials on the same network.


DDoS Capabilities

The primary goal of Aquabotv3 is to enlist infected devices into a botnet for Distributed Denial-of-Service (DDoS) attacks. The botnet supports multiple attack vectors, including:

  • TCP SYN floods
  • TCP ACK floods
  • UDP floods
  • GRE IP floods
  • Application-layer attacks

The Aquabotv3 botnet is actively advertised on Telegram under the names Cursinq Firewall, The Eye Services, and The Eye Botnet, promoting itself as a DDoS testing tool.

Trending: Breaking Down Active and Passive Reconnaissance




Trending: Offensive Security Tool: Penelope

Detection and Mitigation

Akamai has published Indicators of Compromise (IoCs), along with Snort and YARA rules, to help detect Aquabotv3 infections.

How to Protect Against Aquabotv3

Update Mitel SIP phones immediately to patched firmware versions.
Disable unnecessary admin access and use strong, unique passwords.
Monitor network traffic for signs of brute-force attempts and unusual HTTP POST requests.
Block outbound connections to known Aquabot C2 servers.
Deploy IDS/IPS rules (e.g., Snort/YARA) to detect exploit attempts.

Trending: Cloudflare CDN Flaw Enables Zero-Click Geo-Location Attack via Signal, Discord

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This