Rewterz Informative Update – DirtyMoe Botnet Infects 100,000+ Systems in First Half of 2021

Severity

High

Analysis Summary

CVE-2021-1306

DirtyMoe (a.k.a PurpleFox, NuggetPhantom, and Perkiler) has increased its operation 900% since 2020. While the botnet only infected 10,000 computers in 2020, it has since then infected 100,000 only in the first half of 2021.

The botnet is defined as a complex malware that is designed as a modular system. The group has been active since 2017, however, it was mainly used for cryptocurrency mining. The botnet was also used for causing a DDoS condition in 2018. The group uses CVE-2020-0674 scripting engine memory corruption vulnerability and many others to deliver the DirtyMoe rootkit.

Now the botnet has evolved to spread via the internet to other Windows systems.

“Recently, a new infection vector that cracks Windows machines through SMB password brute force is on the rise”

The number of infected devices can also be far greater than the reported number. As the C2 serversinvolved in the attacks are located in China, it implicates that the threat actors behind DirtyMoe are experts and sophisticated.

Impact

• Distributed Denial of Service (DDoS)
• Credential Theft
• Data Theft
• Unauthorized Access

Affected Vendors

Cisco

Affected Products

• Cisco EPN Manager Earlier than 5.0.1
• Cisco ISE Earlier than Release 2.6 Patch10
• Cisco ISE Earlier than Release 2.7 Patch4
• Cisco ISE Earlier than Release 3.0 Patch2
• Cisco ISE Earlier than Release 3.1
• Cisco Prime Infrastructure Releases 3.5 and later
• Cisco Prime Infrastructure Earlier than Release 3.8.1 Update 2
• Cisco Prime Infrastructure Earlier than Release 3.9.0

Remediation

• Closely monitor windows systems for suspicious activities.
• Keep devices and systems patched.

for more updates visit https://decoded.avast.io/martinchlumecky/dirtymoe-1/#ref