Security researchers at Akamai have uncovered a sophisticated new variant of the Aquabot malware, built upon the infamous Mirai codebase. This third iteration specifically exploits a critical vulnerability (CVE-2024-41710) in Mitel SIP phones, posing a significant threat to enterprise communications infrastructure.
Advanced Features and Evolution of Aquabot
Since its initial emergence in 2023, Aquabot has undergone significant evolutionary changes. While the second version introduced persistence mechanisms, the latest variant demonstrates unprecedented sophistication through an innovative monitoring system that tracks deactivation attempts and reports them to command-and-control (C2) servers—a feature rarely seen in traditional botnet architectures.
Technical Analysis of the Vulnerability Exploitation
The CVE-2024-41710 vulnerability affects Mitel’s 6800, 6900, and 6900w series enterprise SIP phones. Threat actors leverage brute-force attacks to gain administrative access, followed by exploiting the 8021xsupport.html endpoint. The vulnerability stems from improper input validation, enabling malicious code injection into device configuration files.
Infection Vector and Propagation Strategy
Upon successful compromise, Aquabot deploys architecture-specific payloads optimized for the target system. The malware’s propagation mechanism leverages multiple attack vectors, including:
– TP-Link devices through CVE-2018-17532
– IoT firmware vulnerabilities via CVE-2023-26801
– Web application remote code execution using CVE-2022-31137
– Known vulnerabilities in Linksys devices and Hadoop YARN implementations
Attack Capabilities and Monetization Strategy
Aquabot’s primary function centers on orchestrating sophisticated DDoS attacks, including TCP SYN/ACK floods, UDP floods, and application-layer attacks. The operators market their services through Telegram channels under the guises of “Cursinq Firewall” and “The Eye Services,” presenting themselves as legitimate security testing providers.
Organizations must implement comprehensive security measures to protect against this evolving threat. Critical steps include regular security patches, implementation of strong password policies, and continuous network infrastructure monitoring. Special attention should be directed toward securing IoT endpoints, as these devices often serve as primary attack vectors for sophisticated malware campaigns. Additionally, organizations should implement network segmentation and deploy advanced intrusion detection systems to identify and mitigate potential Aquabot infections before they can establish a foothold in the network.
