A new Mirai-based botnet malware named ‘ShadowV2’ has been observed targeting IoT devices from D-Link, TP-Link, and other vendors with exploits for known vulnerabilities.
Fortinet’s FortiGuard Labs researchers spotted the activity during the major AWS outage in October. Although the two incidents are not connected, the botnet was active only for the duration of the outage, which may indicate that it was a test run.
ShadowV2 spread by leveraging at least eight vulnerabilities in multiple IoT products:
DD-WRT (CVE-2009-2765)
D-Link (CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915)
DigiEver (CVE-2023-52163)
TBK (CVE-2024-3721)
TP-Link (CVE-2024-53375)
Among these flaws, CVE-2024-10914 is a known-to-be-exploited command injection flaw impacting EoL D-Link devices, which the vendor announced that it would not fix.
Regarding CVE-2024-10915, for which there’s a NetSecFish report from November 2024, BleepingComputer initially did not find the vendor's advisory for the flaw. After reaching out to the company, we received confirmation that the issue would not be fixed for the impacted models.
... continue reading