Hackers are using device monitoring software Cacti to install malware

Known vulnerability in Cacti is being used to drop Mirai

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Hackers are utilizing a known vulnerability in device monitoring tool Cacti to install all sorts ofmalwareon vulnerable endpoints, researchers have claimed.

Cybersecurity researchers from The Shadowserver Foundation spotted multiple attempts at delivering various malware via the critical command injection vulnerability, tracked as CVE-2022-46169.

By abusing the flaw, which has a severity rating of 9.8 (critical), threat actors were observed deploying Mirai malware, as well as IRC botnet. Some threat actors were seen simply checking for the vulnerability, possibly in preparation for future attacks.

Thousands of unpatched instances

Mirai is a malware that mostly targets smart home devices running Linux, such as IP cameras and home routers, and assimilates them into the Mirai botnet. The botnet can later be used for Distributed Denial of Service (DDoS) attacks, which can disrupt operations and shut websites down.

The IRC botnet was seen opening a reverse shell on the host and having it scan the endpoint’s ports.

In total, roughly 10 exploitation attempts were seen in the last week.

A Censys report claims there are more than 6,000 unpatched Cacti instances reachable over the internet, while adding that more than 1,600 are unpatched and thus vulnerable.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Check out the best patch management software right now>Mirai botnet now targeting critical flaw in thousands of routers>Mirai botnet returns to target IoT devices

“Censys has observed 6,427 hosts on the internet running a version of Cacti. Unfortunately, we can only see the exact running software version when a specific theme (sunrise) is enabled on the web application,” Censys said. That being said, 1,637 hosts were found reachable over the web and vulnerable to CVE-2022-46169, the majority (465) running version 1.1.38, released more than a year ago, it added.

Furthermore, Censys has only observed 26 instances running an updated version that wasn’t vulnerable.

As usual, the best way to protect your devices against such attacks is to make sure all software is running the latest version.

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Dangerous Android banking malware looks to trick victims with fake money transfers

Sophos Firewall hack on government network used an all-new custom malware

Don’t wait until Black Friday, this year’s best Nintendo Switch bundles are on sale now