The SonicWall Capture Labs Threat Research team has received reports about a new Mirai botnet malware targeting network security devices. The Mirai botnet malware attack involves many different brands of connected network security devices that are affected by critical vulnerabilities. The following vulnerabilities are involved:

• CVE-2020-25506: D-Link DNS-320 firewall exploit
• CVE-2021-27561: Yealink Device Management remote code-execution (RCE)
• CVE-2021-27562: Yealink Device Management remote code-execution (RCE)
• CVE-2020-26919: Netgear ProSAFE Plus exploit
• CVE-2021-22502: Micro Focus Operation Bridge Reporter RCE
• CVE-2019-19356: Netis WF2419 Wireless Router Remote Code Execution (RCE)
• VisualDoor: SonicWall SSL-VPN Remote Command Injection Vulnerability

On March 16, 2021, SonicWall Capture Labs Threat Research team released the following signatures to protect against such attacks:

• CVE-2020-25506
  IPS:15455 D-Link DNS-320 system_mgr.cgi Command Injection
• CVE-2021-27561/CVE-2021-27562
  IPS:15456 Yealink DM Remote Code Execution
• CVE-2021-22502
  IPS:15457 Micro Focus Operations Bridge Reporter Command Injection
• CVE-2019-19356
  IPS:15458 Netis WF2419 netcore_set.cgi Remote Code Execution
• VisualDoor: SonicWall SSL-VPN Remote Command Injection Vulnerability
  This is an old vulnerability. SonicWall released the patch for this vulnerability in 2015. There are also existing signatures detecting it:
  IPS:5603 GNU Bash Code Injection (CVE-2014-6271) 2
  IPS:13064 GNU Bash Code Injection (CVE-2014-6278)
• GAV signatures to cover malware samples:
  GAV: Mirai.LL
  GAV: Mirai.LL_1