Mirai Botnet Variant Exploits Four-Faith Router Flaw to Unleash DDoS Attacks

In a stark reminder of the growing dangers posed by botnets, a new Mirai variant has been exploiting vulnerabilities in Four-Faith industrial routers since early November 2024. This latest botnet, dubbed “gayfemboy” (a term derived from its offensive source code references), highlights the persistent threat of distributed denial-of-service (DDoS) attacks and underscores the need for robust cybersecurity defenses.

With 15,000 daily active IPs spread across regions such as China, Iran, Russia, Turkey, and the U.S., this botnet has scaled to devastating proportions. Its ability to leverage both zero-day vulnerabilities and a laundry list of over 20 known security flaws is a wake-up call for enterprises and individual users alike.

The Exploited Vulnerability: CVE-2024-12856

At the heart of the botnet’s recent campaign is CVE-2024-12856, a command injection vulnerability affecting Four-Faith router models F3x24 and F3x36. The flaw, which has a CVSS score of 7.2, allows attackers to exploit routers configured with unchanged default credentials.

Since its discovery in November 2024, this vulnerability has been actively exploited to deliver malicious payloads, including reverse shells and a Mirai-based malware variant. By targeting industrial-grade routers, attackers can leverage highly connected devices, amplifying their botnet's reach and effectiveness.

A Multi-Pronged Attack Strategy

The Mirai variant employs a combination of tactics to infect devices and maximize its impact:

  1. Initial Access via Weak Credentials
    The botnet scans for devices with weak Telnet credentials or factory-default settings, a common security oversight in many IoT and industrial systems.
  2. Exploiting a Long List of Vulnerabilities
    Beyond CVE-2024-12856, the botnet exploits over 20 additional vulnerabilities, including flaws dating back to 2013, such as:
    • CVE-2013-3307
    • CVE-2016-20016
    • CVE-2021-35394
  3. Mirai-Based Malware Capabilities
    Once deployed, the malware adopts techniques to:
    • Hide malicious processes.
    • Execute commands to locate new vulnerable devices.
    • Continuously update its malware payload.
    • Launch targeted DDoS attacks.

The Scale and Impact of the Attacks

The botnet has orchestrated daily DDoS attacks on hundreds of targets, achieving bandwidth peaks of 100 Gbps. Although these attacks often last just 10 to 30 seconds, the sudden influx of traffic can overwhelm servers, disrupt services, and inflict significant damage.

Notably, October and November 2024 saw a surge in botnet activity, with the malware aggressively scanning for and compromising devices.

The Broader Botnet Threat

This latest Mirai variant is part of a larger trend of cybercriminals exploiting vulnerabilities in IoT and industrial devices to build botnets. Similar campaigns include:

  • Juniper Networks Warning: Malicious actors targeting Session Smart Router (SSR) products with default passwords to spread Mirai malware.
  • Akamai Report: Mirai infections weaponizing remote code execution flaws in DigiEver DVRs.

These incidents reflect a troubling reality: as devices remain misconfigured or unpatched, attackers will continue to exploit them to grow their botnet armies.

How to Protect Against Mirai Botnets and DDoS Attacks

Given the persistent and evolving threat of Mirai-based botnets, it is critical for organizations and users to adopt comprehensive security measures:

  1. Change Default Credentials
    Replace factory-default passwords on all devices with strong, unique credentials.
  2. Patch and Update Devices Regularly
    Keep router firmware and software updated to mitigate known vulnerabilities like CVE-2024-12856.
  3. Implement Network Segmentation
    Isolate IoT and industrial devices from critical networks to limit lateral movement.
  4. Monitor for Unusual Traffic
    Use intrusion detection systems (IDS) and anomaly-based monitoring tools to detect unusual traffic patterns indicative of DDoS activity.
  5. Deploy Anti-DDoS Solutions
    Cloud-based DDoS protection can absorb and mitigate high-bandwidth attacks before they reach your network.
  6. Limit Telnet and Remote Access
    Disable Telnet access and restrict remote management interfaces to trusted IPs only.

DDoS Threats Are Evolving

The latest Mirai botnet variant is more than just another malware strain—it’s a harbinger of the increasing sophistication of DDoS threats. By exploiting vulnerabilities in industrial routers and IoT devices, attackers are creating botnets with greater reach and destructive potential.

To stay ahead of these threats, organizations and individuals must remain vigilant, secure their devices, and adopt proactive cybersecurity practices. As this campaign demonstrates, even seemingly minor vulnerabilities can have a massive impact if left unaddressed.

By Zane
January 10, 2025
Computer Security
English
January 10, 2025
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

5 years ago

What is the OperaGXSetup.exe File and is it Malicious?

11 months ago

Eporner.com And Why Its Excessive Pop-Ups Are Risky

11 days ago

HackTool:Win32/Crack: a Malicious Threat That Can Seriously...

7 months ago

Take Note: Someone Added You As Their Recovery Email Scam

10 months ago

A Potentially Serious Threat: Trojan:Win32/Suschil!rfn

18 days ago

Related Posts

Malware

EwDoor Botnet Focuses on DDoS Attacks

The EwDoor Botnet is a relatively new project, which appears to be active in the United States. Although the project appears to have been online for just a few months, its creators are taking advantage of a very old... Read more

December 1, 2021
Malware

Abcbot Botnet Focuses on DDoS Attacks

Google's Go language is quickly being adopted by many malware developers, and it seems that botnet operators are also following the same pattern. In recent news, the BotenaGo Botnet goes after Internet-of-Things... Read more

November 12, 2021
Malware

Steadily Growing Fodcha Botnet Specializes in DDoS Attacks

The Fodcha Botnet is a new malicious project that appears to be growing steadily, adding a little over 100 infected devices per day. This botnet is not affiliated with the infamous Mirai Botnet family, but it does... Read more

April 15, 2022
English
Loading...

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2025 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.