iTnews Asia
  • Home
  • News
  • Security

VMware, F5, Log4j added to EnemyBot attack targets

VMware, F5, Log4j added to EnemyBot attack targets

Also tries to infect Android devices.

By Richard Chirgwin on Jun 1, 2022 9:55AM

AT&T is warning of expansions to the EnemyBot malware botnet that target recently-discovered vulnerabilities in F5 hardware and VMware software.

Discovered by Secronix in March, EnemyBot’s original target was the wide range of Linux variants used in IoT devices.

However, a more recent analysis released last week by AT&T Alien Labs showed EnemyBot is launching attacks against a number of more recent vulnerabilities in content management systems, web servers, F5 hardware, and VMware software.

The AT&T analysis notes that “most of EnemyBot functionality relates to the malware’s spreading capabilities, as well as its ability to scan public-facing assets and look for vulnerable devices. "

“However, the malware also has DDoS capabilities and can receive commands to download and execute new code (modules) from its operators that give the malware more functionality," it wrote.

There’s quite a list of targets in the AT&T analysis, with the high-profile Log4j remote code execution (RCE) vulnerabilities from last year (CVE-2021-44228 and CVE-2021-45046), a VMware Workspace ONE vulnerability (CVE-2022-22954) discovered in April, and a REST vulnerability in F5’s BIG-IP application delivery server (CVE-2022-1388) published in May.

Nine of the vulnerabilities, including several in Wordpress plugins and one in Adobe ColdFusion 11 discovered in February (outlined at Packetstorm), have no CVE assigned.

If EnemyBot successfully infects a target, it will try to find other vulnerable hosts to infect. 

Its command and control (C&C) servers can also invoke a range of commands on EnemyBot, including various DDoS tools, shell commands, reverse shell creation, and a TLS attack (it starts a handshake without closing the socket).

It will also try to infect Android devices connected through the USB port, AT&T said.

In April, Fortinet and others attributed EnemyBot to a cryptomining and DDoS attack group dubbed Keksec. 

“The EnemyBot botnet borrows the code from the Gafgyt bot and re-used some codes from the infamous Mirai botnet”, Fortinet wrote at the time.

To reach the editorial team on your feedback, story ideas and pitches, contact them here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
apache att botnet ddos enemybot f5 malware security vmware

Related Articles

  • AI-fuelled attacks forcing enterprises to rethink security architecture
  • Malicious AI agents can severely disrupt APAC enterprises
  • A data-first AI strategy is critical to managing security threats in 2026
  • Malicious AI inputs are creating a new and critical security threat
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

AI-fuelled attacks forcing enterprises to rethink security architecture

AI-fuelled attacks forcing enterprises to rethink security architecture
A data-first AI strategy is critical to managing security threats in 2026

A data-first AI strategy is critical to managing security threats in 2026
Malicious AI agents can severely disrupt APAC enterprises

Malicious AI agents can severely disrupt APAC enterprises
Malicious AI inputs are creating a new and critical security threat

Malicious AI inputs are creating a new and critical security threat
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of Lighthouse Independent Media's Privacy Policy and Terms & Conditions.