New Aquabot botnet variant exploits Mitel SIP phone vulnerability

BleepingComputer reports that a new variant of the Mirai-based Aquabot botnet, dubbed Aquabotv3, has been identified while exploiting the command injection flaw CVE-2024-41710 present in Mitel SIP phones.

Researchers at Akamai’s Security Intelligence and Response Team detected the malware leveraging a proof-of-concept exploit that was published in July 2024. This marks the first documented case of attacks using this vulnerability. The medium-severity flaw affects Mitel 6800, 6900, and 6900w Series SIP phones, commonly used in corporate and institutional settings. It allows attackers with administrator access to execute arbitrary commands thanks to insufficient input sanitization during the boot process. The botnet likely gains initial access through brute-force attacks, then exploits the flaw by crafting malicious HTTP POST requests that inject commands into the phone’s local configuration. Aquabotv3 then establishes persistence, connects to a command-and-control server, and spreads to other IoT devices by exploiting existing vulnerabilities in several router devices. Its primary function is to add devices for use in distributed denial-of-service swarm for future attacks, which its operators advertise on Telegram as a stress-testing tool. Akamai has published detection rules and indicators of compromise to help organizations mitigate the threat.