Zerobot botnet expands to start exploiting Apache flaws

Two new Apache flaws are being leveraged to distribute Zerobot

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Zerobot, a botnet that infects various Internet of Things (IoT) devices and uses them for distributed denial of service (DDoS) attacks, has been updated with new features and new infection mechanisms.

AreportfromMicrosoft’s security team claims that themalwareused to integrate IoT devices into the botnet has reached version 1.1.

With this upgrade, Zerobot can now leverage flaws found in Apache and Apache Spark to compromise various endpoints and later use them in the attacks. The flaws used to deploy Zerobot are tracked as CVE-2021-42013 and CVE-2022-33891.

Abusing Apache flaws

CVE-2021-42013 is actually an upgrade for the previous fix, designed to patch CVE-2021-41773 in Apache HTTP Server 2.4.50.

As the latter was insufficient, it allowed threat actors to use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives, the cve.mitre.org site explains. “If files outside of these directories are not protected by the usual default configuration “require all denied”, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.”

This is the most powerful botnet ever seen>A fearsome new botnet is rapidly gaining momentum>Protect your endpoints with the best endpoint protection software

CVE-2022-33891, on the other hand, affects the Apache Spark UI, and allows attackers to perform impersonation attacks by providing an arbitrary username, and ultimately, allows the attackers to run arbitrary shell commands. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1, cve.mitre.org explained.

The new version of Zerobot also comes with new DDoS attack capabilities, Microsoft explained. These capabilities allow threat actors to target different resources and render them inaccessible. In almost every attack, the report states, the destination port is customizable, allowing threat actors who purchase the malware to modify the attack as they see fit.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

7 myths about email security everyone should stop believing

Best Usenet client of 2024

Arcane season 2 confirms the hit series isn’t just one of the best Netflix shows ever made – it’s an animated legend that’ll stand the test of time