A variant of the Mirai botnet called Beastmode has been observed adopting newly disclosed vulnerabilities in TOTOLINK routers between February and March 2022 to infect unpatched devices and expand its reach potentially.

“The Beastmode (aka B3astmode) Mirai-based DDoS campaign has aggressively updated its arsenal of exploits,” Fortinet’s FortiGuard Labs Research team said. “Five new exploits were added within a month, with three targeting various models of TOTOLINK routers.”

The list of exploited vulnerabilities in TOTOLINK routers is as follows –

  • CVE-2022-26210 (CVSS score: 9.8) – A command injection vulnerability that could be exploited to gain arbitrary code execution
  • CVE-2022-26186 (CVSS score: 9.8) – A command injection vulnerability affecting TOTOLINK N600R and A7100RU routers, and
  • CVE-2022-25075 to CVE-2022-25084 (CVSS scores: 9.8) – A command injection vulnerability impacting multiple TOTOLINK routers, leading to code execution

The other exploits targeted by Beastmode include flaws in TP-Link Tapo C200 IP camera (CVE-2021-4045, CVSS score: 9.8), Huawei HG532 routers (CVE-2017-17215, CVSS score: 8.8), video surveillance solutions from NUUO and Netgear (CVE-2016-5674, CVSS score: 9.8), and discontinued D-Link products (CVE-2021-45382, CVSS score: 9.8).

To prevent affected models from being taken over by the botnet, users are strongly recommended to update their devices to the latest firmware.

“Even though the original Mirai author was arrested in fall 2018, [the latest campaign] highlights how threat actors, such as those behind the Beastmode campaign, continue to rapidly incorporate newly published exploit code to infect unpatched devices using the Mirai malware,” the researchers said.