New Aquabotv3 Botnet Malware Targets Mitel Command Injection Flaw
Summary:
A new variant of the Mirai-based botnet malware, Aquabotv3, has been observed exploiting a command injection vulnerability (CVE-2024-41710) in Mitel SIP phones. Discovered by Akamai's Security Intelligence and Response Team (SIRT), Aquatbotv3 is the third iteration of its kind and features a new mechanism that reports termination attempts back to its command-and-control server. Researchers state this is unusual for botnets and has likely been added to help operators better monitor the botnet.
The flaw in question allows authenticated attackers to execute arbitrary commands and can be exploited via an argument injection attack. CVE-2024-41710 impacts Mitel 6800, 6900, and 6900w Series SIP phones, commonly used in corporate offices, enterprises, government agencies, hospitals, educational institutes, hotels, and financial institutions. Mitel released patches for the vulnerability in July 2024. However, a proof-of-concept code was released by security researcher Kyle Burns two weeks later, which has been leveraged in attacks observed by Akamai since early January, 2025.
Security Officer Comments:
CVE-2024-41710 has been assigned a medium severity level since it requires admin privileges for a successful exploit. However, this can be easily bypassed as actors can employ means such as brute forcing to gain initial access.
According to Akamai, actors have been observed executing a shell script, which is designed to download and install the Aquabotv3 payload for various CPU architectures. Once Aquabotv3 is deployed it will reach out to its C2 server via TCP to receive instructions, attack commands, updates, or additional payloads. From here it will attempt to spread to other IoT devices by exploiting various vulnerabilities (e.g., Mitel exploit, CVE-2018-17532 (TP-Link), CVE-2023-26801 (IoT firmware RCE), etc.) and by brute-forcing weak SSH/Telnet credentials. Its main goal is to recruit devices into a DDoS botnet, using them for various types of attacks, including TCP SYN, UDP, and application-layer attacks. Notably, the botnet operators have been promoting its DDoS capabilities on Telegram under names like Cursinq Firewall, The Eye Services, and The Eye Botnet, claiming it as a tool for testing DDoS mitigation.
Suggested Corrections:
Organizations should regularly patch devices to address known vulnerabilities like CVE-2024-41710, disable unnecessary services like Telnet, and enforce strong, unique passwords for all devices. Network segmentation can help isolate vulnerable devices, reducing the impact of an attack. Additionally, employing intrusion detection/prevention systems and monitoring for unusual traffic patterns can help detect and block DDoS activities early. Finally, ensuring that IoT devices are regularly updated with the latest firmware is essential for reducing exploitation opportunities.
IOCs:
https://www.akamai.com/blog/securit...aquabot-mirai-variant-exploiting-mitel-phones
Link(s):
https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0019
A new variant of the Mirai-based botnet malware, Aquabotv3, has been observed exploiting a command injection vulnerability (CVE-2024-41710) in Mitel SIP phones. Discovered by Akamai's Security Intelligence and Response Team (SIRT), Aquatbotv3 is the third iteration of its kind and features a new mechanism that reports termination attempts back to its command-and-control server. Researchers state this is unusual for botnets and has likely been added to help operators better monitor the botnet.
The flaw in question allows authenticated attackers to execute arbitrary commands and can be exploited via an argument injection attack. CVE-2024-41710 impacts Mitel 6800, 6900, and 6900w Series SIP phones, commonly used in corporate offices, enterprises, government agencies, hospitals, educational institutes, hotels, and financial institutions. Mitel released patches for the vulnerability in July 2024. However, a proof-of-concept code was released by security researcher Kyle Burns two weeks later, which has been leveraged in attacks observed by Akamai since early January, 2025.
Security Officer Comments:
CVE-2024-41710 has been assigned a medium severity level since it requires admin privileges for a successful exploit. However, this can be easily bypassed as actors can employ means such as brute forcing to gain initial access.
According to Akamai, actors have been observed executing a shell script, which is designed to download and install the Aquabotv3 payload for various CPU architectures. Once Aquabotv3 is deployed it will reach out to its C2 server via TCP to receive instructions, attack commands, updates, or additional payloads. From here it will attempt to spread to other IoT devices by exploiting various vulnerabilities (e.g., Mitel exploit, CVE-2018-17532 (TP-Link), CVE-2023-26801 (IoT firmware RCE), etc.) and by brute-forcing weak SSH/Telnet credentials. Its main goal is to recruit devices into a DDoS botnet, using them for various types of attacks, including TCP SYN, UDP, and application-layer attacks. Notably, the botnet operators have been promoting its DDoS capabilities on Telegram under names like Cursinq Firewall, The Eye Services, and The Eye Botnet, claiming it as a tool for testing DDoS mitigation.
Suggested Corrections:
Organizations should regularly patch devices to address known vulnerabilities like CVE-2024-41710, disable unnecessary services like Telnet, and enforce strong, unique passwords for all devices. Network segmentation can help isolate vulnerable devices, reducing the impact of an attack. Additionally, employing intrusion detection/prevention systems and monitoring for unusual traffic patterns can help detect and block DDoS activities early. Finally, ensuring that IoT devices are regularly updated with the latest firmware is essential for reducing exploitation opportunities.
IOCs:
https://www.akamai.com/blog/securit...aquabot-mirai-variant-exploiting-mitel-phones
Link(s):
https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0019