An improved version of Zerobot, a botnet that infects IoT devices and utilises them in DDoS assaults, is now circulating.

According to a research published by Microsoft’s security team, the malware used to include IoT devices into the botnet has already reached version 1.1.

This enhancement allows Zerobot to exploit vulnerabilities in Apache and Apache Spark in order to compromise more endpoints for further attack usage. Zerobot exploited vulnerabilities designated as CVE-2021-42013 and CVE-2022-33891.

Exploiting holes in Apache

The vulnerability CVE-2021-41773 in Apache HTTP Server 2.4.50 has been patched with a newer update, CVE-2021-42013.

Due to the latter’s insufficiency, attackers might perform a path traversal attack to lead users’ browsers to files stored in locations other than those specified in Alias-like directives, as detailed on the cve.mitre.org website. Requests may be granted if the “need all refused” setting is not in place for files located in other folders. With CGI scripts enabled on these redirected paths, remote code execution is possible. Only Apache 2.4.49 and 2.4.50 are vulnerable; previous versions are unaffected.

CVE-2022-33891, on the other hand, is a vulnerability in the Apache Spark user interface that permits impersonation attacks through the provision of an arbitrary username and, eventually, the execution of arbitrary shell commands. According to cve.mitre.org, this affects Apache Spark 3.0.3 and older, 3.1.1 and3.1.2, and 3.2.0 and 3.2.1.

According to Microsoft, the latest version of Zerobot has enhanced DDoS attack capabilities. A variety of resources may be targeted and rendered unavailable thanks to these capabilities, which are used by threat actors. The research claims that in almost all attacks, the destination port is modifiable, enabling threat actors who acquire the malware to tailor the assault to their own needs.