{"id":18647,"date":"2022-04-01T07:40:03","date_gmt":"2022-04-01T15:40:03","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/04\/01\/news-12380\/"},"modified":"2022-04-01T07:40:03","modified_gmt":"2022-04-01T15:40:03","slug":"news-12380","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/04\/01\/news-12380\/","title":{"rendered":"Fresh TOTOLINK Vulnerabilities Picked Up by Beastmode Mirai Campaign"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\"><\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2><b><a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs.html?utm_source=blog&amp;utm_medium=campaign&amp;utm_campaign=FortiGuardLabs\">FortiGuard Labs<\/a>\u00a0Research<\/b><\/h2>\n<p><b>Affected Platforms:<\/b> Linux<br \/> <b>Impacted Users: <\/b>Any organization<br \/> <b>Impact: <\/b>Remote attackers gain control of the vulnerable systems<br \/> <b>Severity Level: <\/b>Critical<\/p>\n<p>Between February and March 2022, our FortiGuard Labs team observed that the Beastmode (aka B3astmode) Mirai-based DDoS campaign has aggressively updated its arsenal of exploits. Five new exploits were added within a month, with three targeting various models of TOTOLINK routers.<\/p>\n<p>This inclusion of TOTOLINK exploits is especially noteworthy as they were added just a week after the exploit codes were published on GitHub. We previously reported on the <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/manga-aka-dark-mirai-based-campaign-targets-new-tp-link-router-rce-vulnerability\">MANGA campaign<\/a>, which similarly adopted exploit code within weeks of their release.<\/p>\n<p>By rapidly adopting newly released exploit code, threat actors can potentially infect vulnerable devices and expand their botnets before patches are applied to fix these vulnerabilities.<\/p>\n<p>TOTOLINK has already released <a href=\"http:\/\/totolink.net\/home\/news\/me_name\/id\/39\/menu_listtpl\/DownloadC.html\" target=\"_blank\">updated firmware<\/a> for affected models and users are strongly encouraged to update their devices.<\/p>\n<p>This post details how this threat leverages these vulnerabilities to control affected devices, and ways to protect users from these attacks.<u><\/u><\/p>\n<h2><b>Exploiting New Vulnerabilities<\/b><\/h2>\n<p>The Beastmode campaign derives its name from filenames and URLs used for its binary samples (Figure 1), as well as a unique HTTP User-Agent header &quot;b3astmode&quot; (Figure 2) within the exploit requests. Binary samples are based on the publicly available source code of the Mirai botnet.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/totolink-vulnerabilities-beastmode-mirai-campaign\/_jcr_content\/root\/responsivegrid\/image.img.png\/1648503149035\/fig1.png\" alt=\"Figure 1. Honeypot log excerpt displaying usage of \u201cbeastmode\u201d and \u201cb3astmode\u201d in filenames and URLs\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1. Honeypot log excerpt displaying usage of \u201cbeastmode\u201d and \u201cb3astmode\u201d in filenames and URLs<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Like most DDOS botnets, aside from brute-forcing credentials, Beastmode employs a variety of exploits to infect more devices, as listed below.<\/p>\n<p><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-26210\" target=\"_blank\">CVE-2022-26210<\/a> targets TOTOLINK A800R, A810R, A830R, A950RG, A3000RU, and A3100R (Figure 2).<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/totolink-vulnerabilities-beastmode-mirai-campaign\/_jcr_content\/root\/responsivegrid\/image_912870419.img.png\/1648503238169\/fig2.png\" alt=\" Figure 2. CVE-2022-26210 exploit request\"\/>         <\/noscript>          <span class=\"cmp-image--title\"> Figure 2. CVE-2022-26210 exploit request<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-26186\" target=\"_blank\">CVE-2022-26186<\/a> targets TOTOLINK N600R and A7100RU (Figure 3).<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/totolink-vulnerabilities-beastmode-mirai-campaign\/_jcr_content\/root\/responsivegrid\/image_1952154630.img.png\/1648503269324\/fig3.png\" alt=\"Figure 3. CVE-2022-26186 exploit request\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3. CVE-2022-26186 exploit request<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-25075\" target=\"_blank\">CVE-2022-25075<\/a>\/<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-25076\" target=\"_blank\">25076<\/a>\/<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-25077\" target=\"_blank\">25077<\/a>\/<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-25078\" target=\"_blank\">25078<\/a>\/<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-25079\" target=\"_blank\">25079<\/a>\/<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-25080\" target=\"_blank\">25080<\/a>\/<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-25081\" target=\"_blank\">25081<\/a>\/<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-25082\" target=\"_blank\">25082<\/a>\/<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-25083\" target=\"_blank\">25083<\/a>\/<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-25084\" target=\"_blank\">25084<\/a> are a family of similar vulnerabilities targeting TOTOLINK A810R, A830R, A860R, A950RG, A3100R, A3600R, T6, and T10 routers. (Figure 4).<\/p>\n<p>Interestingly, the samples caught on 20 Feb 2022 contained a typo in the URL, where \u201cdownloadFile.cgi\u201d was used instead of \u201cdownloadFlile.cgi\u201d used by the devices. This had been fixed in samples captured three days later, suggesting active development and operation of this campaign.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/totolink-vulnerabilities-beastmode-mirai-campaign\/_jcr_content\/root\/responsivegrid\/image_512997995.img.png\/1648503302129\/fig4.png\" alt=\"Figure 4. CVE-2022-25075 exploit with the correct request\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4. CVE-2022-25075 exploit with the correct request<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Apart from TOTOLINK products, this campaign also targets discontinued D-Link products (DIR-810L, DIR-820L\/LW, DIR-826L, DIR-830L and DIR-836L) via <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-45382\">CVE-2021-45382<\/a>\u00a0\u00a0\u00a0\u00a0\u00a0 (Figure 5). Note that updated firmware is not available as these products have reached their end of life\/support cycles.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/totolink-vulnerabilities-beastmode-mirai-campaign\/_jcr_content\/root\/responsivegrid\/image_703232426.img.png\/1648503780781\/fig5.png\" alt=\"Figure 5. CVE-2021-45382 exploit request\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5. CVE-2021-45382 exploit request<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>It is interesting to note that this campaign also attempts to exploit <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-4045\" target=\"_blank\">CVE-2021-4045<\/a> (Figure 6), a vulnerability for the TP-Link Tapo C200 IP camera, which we have not observed in other Mirai-based campaigns. While the current implementation of the exploit is incorrect, device owners should still update their camera <a href=\"https:\/\/www.tapo.com\/us\/faq\/21\/\" target=\"_blank\">firmware<\/a> to fix this vulnerability.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/totolink-vulnerabilities-beastmode-mirai-campaign\/_jcr_content\/root\/responsivegrid\/image_1417053916.img.png\/1648503981079\/fig6.png\" alt=\"Figure 6. CVE-2021-4045 exploit request\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6. CVE-2021-4045 exploit request<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>A couple of older vulnerabilities were also found in the samples analyzed by FortiGuard Labs researchers, namely <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2017-17215\" target=\"_blank\">CVE-2017-17215<\/a> (Figure 7) targeting Huawei HG532 routers, and <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2016-5674\" target=\"_blank\">CVE-2016-5674<\/a> (Figure 8) targeting NUUO NVRmini2, NVRsolo, Crystal Devices, and NETGEAR ReadyNAS Surveillance products.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/totolink-vulnerabilities-beastmode-mirai-campaign\/_jcr_content\/root\/responsivegrid\/image_1137194647.img.png\/1648504035676\/fig7.png\" alt=\"Figure 7. CVE-2017-17215 exploit request\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 7. CVE-2017-17215 exploit request<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/totolink-vulnerabilities-beastmode-mirai-campaign\/_jcr_content\/root\/responsivegrid\/image_288386228.img.png\/1648504054687\/fig8.png\" alt=\"Figure 8. CVE-2016-5674 exploit request\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8. CVE-2016-5674 exploit request<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>While affecting a variety of products, these vulnerabilities are all similar in that they allow threat actors to inject commands to be executed after successful exploitation. This usually involves using the wget command to download shell scripts to infect the device with Beastmode.<\/p>\n<p>In addition, exploits lead to slightly different shell scripts. Snippets of the scripts downloaded from the successful exploitation of CVE-2021-45382, CVE-2022-26186, and CVE-2022-25075, respectively are shown below (Figure 9).\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/totolink-vulnerabilities-beastmode-mirai-campaign\/_jcr_content\/root\/responsivegrid\/image_1789664024.img.png\/1648504102659\/fig9.png\" alt=\"Figure 9. Executing Beastmode with different filenames and parameters\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 9. Executing Beastmode with different filenames and parameters<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As shown in the above figure, each script downloads the same file to different filenames but is executed with different parameters.<\/p>\n<p>For instance, successful exploitation of CVE-2021-45382, a vulnerability involving a function named \u201cDDNS\u201d within D-Link router firmware, leads to the download and execution (Figure 5) of the shell script \u201cddns.sh\u201d. Then, as shown in Figure 9, the script then downloads the Beastmode binary, which is saved as \u201cddns\u201d and executed with the \u201cddns.exploit\u201d parameter. The parameter (highlighted in blue) allows the infected device to register itself as part of the \u201cddns.exploit\u201d sub-group within the botnet. It could then be used by the botnet operators to assess the viability of specific exploits by measuring the number of bots or simply for ease of management.<\/p>\n<p>\u00a0Once devices are infected by Beastmode, the botnet can be used by its operators to perform a variety of DDoS attacks commonly found in other Mirai-based botnets, including:<\/p>\n<ul>\n<li>attack_app_http<\/li>\n<li>attack_tcp_ack<\/li>\n<li>attack_tcp_syn<\/li>\n<li>attack_udp_plain<\/li>\n<li>attack_udp_vse<\/li>\n<li>attack_udp_ovhhex<\/li>\n<li>attack_udp_stdhex<\/li>\n<li>attack_udp_CLAMP<\/li>\n<\/ul>\n<h2><b>Conclusion<\/b><\/h2>\n<p>Even though the original Mirai author was arrested in fall 2018, this article highlights how threat actors, such as those behind the Beastmode campaign, continue to rapidly incorporate newly published exploit code to infect unpatched devices using the Mirai malware.<\/p>\n<p>By continuously monitoring the evolving threat landscape, FortiGuard Labs researchers identify new vulnerabilities exploited by Mirai variants and malware targeting IoT devices to bring greater awareness to such threats and better secure our customers\u2019 networks.<\/p>\n<h2><b>Fortinet Protections<\/b><\/h2>\n<p>Fortinet customers are protected by the following:<\/p>\n<ul>\n<li>The following generic FortiGuard IPS signatures detect exploitation attempts from Beastmode and other Mirai-based botnets:\n<ul>\n<li><a href=\"https:\/\/www.fortiguard.com\/encyclopedia\/ips\/43191\" style=\"background-color: rgb(255,255,255);\">Mirai.Botnet<\/a><\/li>\n<li><a href=\"https:\/\/www.fortiguard.com\/encyclopedia\/ips\/45677\" style=\"background-color: rgb(255,255,255);\">HTTP.Unix.Shell.IFS.Remote.Code.Execution<\/a><\/li>\n<\/ul>\n<\/li>\n<li>FortiGuard Labs also provides IPS signatures against the following vulnerabilities.\n<ul>\n<li>CVE-2017-17215 &#8211; <a href=\"https:\/\/www.fortiguard.com\/encyclopedia\/ips\/45066\">Huawei.HG532.Remote.Code.Execution<\/a><\/li>\n<li>CVE-2016-5674 &#8211; <a href=\"https:\/\/www.fortiguard.com\/encyclopedia\/ips\/43028\">NUUO.Surveillance.Application.UNAUTH.Remote.Code.Execution<\/a><\/li>\n<\/ul>\n<\/li>\n<li>The FortiGuard Web Filtering Service blocks downloaded URLs and identified C2s.<\/li>\n<li>The FortiGuard AntiVirus service detects and blocks this threat as Linux\/Mirai and ELF\/Mirai<\/li>\n<\/ul>\n<div>\u00a0<\/div>\n<div><a href=\"https:\/\/www.fortinet.com\/support\/support-services\/fortiguard-security-subscriptions\/ipreputation-antibot\">FortiGuard IP Reputation &amp; Anti-Botnet Security Service<\/a> proactively blocks these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.<\/div>\n<h2><b>IOCs<\/b><\/h2>\n<p><u>Download URLs<\/u><\/p>\n<p>http:\/\/195.133.18[.]119\/beastmode\/b3astmode.86_64<\/p>\n<p>http:\/\/195.133.18[.]119\/beastmode\/b3astmode.arm4<\/p>\n<p>http:\/\/195.133.18[.]119\/beastmode\/b3astmode.arm5<\/p>\n<p>http:\/\/195.133.18[.]119\/beastmode\/b3astmode.arm6<\/p>\n<p>http:\/\/195.133.18[.]119\/beastmode\/b3astmode.arm7<\/p>\n<p>http:\/\/195.133.18[.]119\/beastmode\/b3astmode.m68k<\/p>\n<p>http:\/\/195.133.18[.]119\/beastmode\/b3astmode.mips<\/p>\n<p>http:\/\/195.133.18[.]119\/beastmode\/b3astmode.mpsl<\/p>\n<p>http:\/\/195.133.18[.]119\/beastmode\/b3astmode.ppc<\/p>\n<p>http:\/\/195.133.18[.]119\/beastmode\/b3astmode.sh4<\/p>\n<p>http:\/\/195.133.18[.]119\/beastmode\/b3astmode.x86<\/p>\n<p><u>\u00a0<\/u><\/p>\n<p><u>C2 IPs<\/u><\/p>\n<p>195.133.18[.]119<\/p>\n<p>136.144.41[.]69<\/p>\n<p><u>\u00a0<\/u><\/p>\n<p><u>Samples (SHA256)<\/u><\/p>\n<p>04a50c409a30cdd53036c490534ee7859b828f2b9a9dd779c6b0112b88b74708<\/p>\n<p>0ca74024f5b389fcfa5ee545c8a7842316c78fc53d4a9e94c34d556459a58877<\/p>\n<p>0d442f4327ddd254dbb2a9a243d9317313e44d4f6a6078ea1139ddd945c3f272<\/p>\n<p>14726d501dd489e8228af9580b4369819efb3101f6128df1a1ab0fcc8d96e797<\/p>\n<p>18cefe4333f5f1165c1275c956c8ae717d53818b2c5b2372144fb87d6687f0d8<\/p>\n<p>36a85f2704f77d7e11976541f3d77774109461e1baae984beb83064c2e34239a<\/p>\n<p>3d0a119b68044b841128e451d80ee41d8be9cc61f9ff9a01c3db7d3271e15655<\/p>\n<p>5adfd18422a37a40e6c7626b27d425a4c5a6ca45ecbc8becd690b8533d9d6c7c<\/p>\n<p>635569c7612278d730cb87879843de03d1ea0df4e1c70262ab50659780eace3b<\/p>\n<p>676b2aa6839606d49bbd2f29487e4c218e7d14dd1a9b870edcabdd11fcab9cf7<\/p>\n<p>9c88fa218af7fb72188a0262b3a29008fedcf3d434b90e8fa578ac8f250f5025<\/p>\n<p>a21aa45045c0d4b0d785891b8be57496d62bc2396d01c24a34b40f3e2227ef07<\/p>\n<p>a5cbe89bf1f3121eb2012e3c5bb5c237c613b8b615384be0f1cc92817a2f1efe<\/p>\n<p>a6a7e46bd0e9ec67a1adec64af8fddee18ce019f731ee9cbf8341b35b2519dd9<\/p>\n<p>b573f4d58b1fe6309b90611dd1d1030d7a3d1eb8ddb18de6dc58eefa876820fd<\/p>\n<p>be3248d97653e8f97cb8f69af260f03b19965489478211a5565b786e9f5d3c02<\/p>\n<p>ca8980cb3bd286e41950d78555fd070eaf2d3bebf2751cb0d12a3eff0a41f829<\/p>\n<p>cd48523a6dced4054cce051d4dd8c06268cee375e56afbf59d724faa91c3e766<\/p>\n<p>d799ae8a017e76d22f1f35f271ebae9168b7712dce0ce86753edabd6e5f4f0d6<\/p>\n<p>ded30dbc39e310ebbc17a9667a14e7f0f2e08999bfc5ebd4eae5c1840b82860a<\/p>\n<p>e7db388460d4e1f8d740018e6012af0ad785d3876a35c924db1f4982d7902db3<\/p>\n<p>e85c3d3ed49d44b1ec3af89d730e129d68a32212e911e6431f405e201597f6ed<\/p>\n<div><i>Learn more about Fortinet\u2019s <a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?utm_source=blog&amp;utm_campaign=fortiguard-labs\">FortiGuard Labs<\/a> threat research and intelligence organization and the FortiGuard Security Subscriptions and Services <a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?tab=security-bundles&amp;utm_source=blog&amp;utm_campaign=security-bundles\">portfolio<\/a>.<\/i><\/div>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-b2dxtopzidsdt3fkzfsv-holder\"><\/div>\n<\/div><\/div>\n<\/p><\/div>\n<p><a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/totolink-vulnerabilities-beastmode-mirai-campaign\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/totolink-vulnerabilities-beastmode-mirai-campaign\/_jcr_content\/root\/responsivegrid\/image.img.png\/1648503149035\/fig1.png\"\/><br \/>FortiGuard Labs analyzed fresh TOTOLINK vulnerabilities which the Beastmode Mirai-based DDoS campaign added to its arsenal. Read about how this threat leverages these vulnerabilities to control affected devices.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-18647","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18647","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18647"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18647\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18647"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18647"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18647"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}