VMware, F5, Log4j added to EnemyBot attack targets

By on
VMware, F5, Log4j added to EnemyBot attack targets

Also tries to infect Android devices.

AT&T is warning of expansions to the EnemyBot malware botnet that target recently-discovered vulnerabilities in F5 hardware and VMware software.

Discovered by Secronix in March, EnemyBot’s original target was the wide range of Linux variants used in IoT devices.

However, a more recent analysis released last week by AT&T Alien Labs showed EnemyBot is launching attacks against a number of more recent vulnerabilities in content management systems, web servers, F5 hardware, and VMware software.

The AT&T analysis notes that “most of EnemyBot functionality relates to the malware’s spreading capabilities, as well as its ability to scan public-facing assets and look for vulnerable devices. "

“However, the malware also has DDoS capabilities and can receive commands to download and execute new code (modules) from its operators that give the malware more functionality," it wrote.

There’s quite a list of targets in the AT&T analysis, with the high-profile Log4j remote code execution (RCE) vulnerabilities from last year (CVE-2021-44228 and CVE-2021-45046), a VMware Workspace ONE vulnerability (CVE-2022-22954) discovered in April, and a REST vulnerability in F5’s BIG-IP application delivery server (CVE-2022-1388) published in May.

Nine of the vulnerabilities, including several in Wordpress plugins and one in Adobe ColdFusion 11 discovered in February (outlined at Packetstorm), have no CVE assigned.

If EnemyBot successfully infects a target, it will try to find other vulnerable hosts to infect. 

Its command and control (C&C) servers can also invoke a range of commands on EnemyBot, including various DDoS tools, shell commands, reverse shell creation, and a TLS attack (it starts a handshake without closing the socket).

It will also try to infect Android devices connected through the USB port, AT&T said.

In April, Fortinet and others attributed EnemyBot to a cryptomining and DDoS attack group dubbed Keksec. 

“The EnemyBot botnet borrows the code from the Gafgyt bot and re-used some codes from the infamous Mirai botnet”, Fortinet wrote at the time.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
apacheattbotnetddosenemybotf5malwaresecurityvmware

Sponsored Whitepapers

Planning before the breach: You can&#8217;t protect what you can&#8217;t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership
Don&#8217;t pay the ransom: A three-step guide to ransomware protection
Don’t pay the ransom: A three-step guide to ransomware protection

Events

Most Read Articles

50k customers caught up in Spirit Super phishing attack

50k customers caught up in Spirit Super phishing attack
NBN Co sizes up six-figure customer exodus a year to fixed wireless

NBN Co sizes up six-figure customer exodus a year to fixed wireless
New MS Office zero day evades Defender

New MS Office zero day evades Defender
NBN Co to cut 160 applications under $200m IT simplification

NBN Co to cut 160 applications under $200m IT simplification

Digital Nation

Integrity, ethics and board decisions in the digital age
Integrity, ethics and board decisions in the digital age
Crypto experts optimistic about future of Bitcoin: Block
Crypto experts optimistic about future of Bitcoin: Block
The security threat of quantum computing
The security threat of quantum computing
IBM global chief data officer on the rise of the number crunchers
IBM global chief data officer on the rise of the number crunchers
COVER STORY: Operationalising net zero through the power of IoT
COVER STORY: Operationalising net zero through the power of IoT

Log In

  |  Forgot your password?