VMware, F5, Log4j added to EnemyBot attack targets

By

Also tries to infect Android devices.

AT&T is warning of expansions to the EnemyBot malware botnet that target recently-discovered vulnerabilities in F5 hardware and VMware software.

VMware, F5, Log4j added to EnemyBot attack targets

Discovered by Secronix in March, EnemyBot’s original target was the wide range of Linux variants used in IoT devices.

However, a more recent analysis released last week by AT&T Alien Labs showed EnemyBot is launching attacks against a number of more recent vulnerabilities in content management systems, web servers, F5 hardware, and VMware software.

The AT&T analysis notes that “most of EnemyBot functionality relates to the malware’s spreading capabilities, as well as its ability to scan public-facing assets and look for vulnerable devices. "

“However, the malware also has DDoS capabilities and can receive commands to download and execute new code (modules) from its operators that give the malware more functionality," it wrote.

There’s quite a list of targets in the AT&T analysis, with the high-profile Log4j remote code execution (RCE) vulnerabilities from last year (CVE-2021-44228 and CVE-2021-45046), a VMware Workspace ONE vulnerability (CVE-2022-22954) discovered in April, and a REST vulnerability in F5’s BIG-IP application delivery server (CVE-2022-1388) published in May.

Nine of the vulnerabilities, including several in Wordpress plugins and one in Adobe ColdFusion 11 discovered in February (outlined at Packetstorm), have no CVE assigned.

If EnemyBot successfully infects a target, it will try to find other vulnerable hosts to infect. 

Its command and control (C&C) servers can also invoke a range of commands on EnemyBot, including various DDoS tools, shell commands, reverse shell creation, and a TLS attack (it starts a handshake without closing the socket).

It will also try to infect Android devices connected through the USB port, AT&T said.

In April, Fortinet and others attributed EnemyBot to a cryptomining and DDoS attack group dubbed Keksec. 

“The EnemyBot botnet borrows the code from the Gafgyt bot and re-used some codes from the infamous Mirai botnet”, Fortinet wrote at the time.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
apacheattbotnetddosf5malwaresecurityvmware

Sponsored Whitepapers

Trust Imperative 4.0
Trust Imperative 4.0
Centralized Remote Connectivity for State & Local Government
Centralized Remote Connectivity for State & Local Government
Global Employee Experience Trends Report
Global Employee Experience Trends Report
State of workplace technology - AI in IT
State of workplace technology - AI in IT
Case Study: University of Wollongong
Case Study: University of Wollongong

Most Read Articles

FBI says Chinese hackers preparing to attack US infrastructure

FBI says Chinese hackers preparing to attack US infrastructure
Vic councils' after-hours call answering service breached

Vic councils' after-hours call answering service breached
AFP arrests man over alleged creation and sale of 'Firebird' RAT

AFP arrests man over alleged creation and sale of 'Firebird' RAT
Five Australians arrested in global raid on phishing kit seller LabHost

Five Australians arrested in global raid on phishing kit seller LabHost

Digital Nation

COVER STORY: What AI regulation might look like in Australia
COVER STORY: What AI regulation might look like in Australia
State of Security 2023
State of Security 2023
More than half of loyalty members concerned about their data
More than half of loyalty members concerned about their data
Health tech startup Kismet raises $4m in pre-seed funding
Health tech startup Kismet raises $4m in pre-seed funding
How eBay uses interaction analytics to improve CX
How eBay uses interaction analytics to improve CX

Log In

  |  Forgot your password?