Botnet Hijacks Enterprise Automation
A new report details how the Zerobotv9 botnet is exploiting weak credentials to hijack enterprise automation systems. The malware is notable for its ability to pivot between IoT devices, cloud services, and legacy infrastructure, highlighting the blurring lines between IT and OT security.
The Zerobot malware, written in the Go programming language, is part of a malware-as-a-service scheme, allowing threat actors to purchase and modify attacks for their specific targets. This model has industrialized cyberattacks, making it easier for criminals to obtain malware and maintain access to compromised networks. Microsoft tracks the group operating Zerobot as Storm-1061 (formerly DEV-1061). Initially discovered in November 2022, Zerobot quickly evolved, with updated versions adding more exploits, string obfuscation, and self-propagation modules to enhance its infectious capabilities. The botnet spreads by exploiting a range of vulnerabilities in IoT devices and web applications, including those in products from Tenda, Zyxel, and even the Spring Framework. It also uses brute-force techniques on SSH and Telnet ports to expand its network of infected devices. Once a device is compromised, Zerobot downloads a script corresponding to the device's specific CPU architecture, such as "zero.arm64". For Windows systems, it copies itself into the "Startup" folder as "FireWall.exe" to maintain persistence. The malware includes an "anti-kill" module to prevent users or system processes from terminating its operation. The convergence of Information Technology (IT) and Operational Technology (OT) creates a larger attack surface. IT systems, with typical 3-5 year refresh cycles, contrast sharply with OT systems, which can operate for 15-30 years, often running legacy software without modern security considerations. This disparity means OT environments may lack basic security measures like regular patching and strong password policies, making them prime targets. Botnets like Zerobot are increasingly automated, with some leveraging AI to analyze traffic patterns and adapt their tactics in real-time to evade detection. This "industrialization" of botnets outpaces traditional security patching and response models. The financial motivation is significant, with botnets used to launch Distributed Denial of Service (DDoS) attacks for hire, steal sensitive data, and deploy ransomware. The exploitation of weak and default credentials remains a primary vector for such attacks. Automated techniques like credential stuffing, dictionary attacks, and password spraying allow attackers to test millions of password combinations rapidly. A single reused password can provide the initial foothold needed to compromise an entire network, highlighting the critical need for strong, unique passwords and multi-factor authentication across all systems.
