ShadowV2 Casts a Shadow Over IoT Devices | FortiGuard Lab
Summary:
Fortinet has uncovered details of a new malware, dubbed “ShadowV2,” that is propagating via the exploitation of vulnerabilities across devices from vendors including D-Link, TP-Link, DDWRT, DigiEver, and TBK. ShadowV2 is believed to have been developed based on the architecture of an existing Mirai variant and designed for IoT devices. Based on observations made, the malware leverages at least eight vulnerabilities in several IoT products for initial access:
Security Officer Comments:
According to Fortinet, ShadowV2 activity was spotted during the major AWS outage in October. Although the two incidents aren’t related, researchers note that the botnet was only active for the duration of the outage, indicating that ShadowV2 was deployed as a test run rather than a full operational campaign. Despite ShadowV2 being observed only during the AWS outage period, its impact was widespread, with attacks observed in North and South America, Europe, Africa, Asia, and Australia. The attacks originated from 198[.]199[.]72[.]27, targeting routers, NAS devices, and DVRs across seven sectors, including government, technology, manufacturing, managed security service providers (MSSPs), telecommunications, and education.
Suggested Corrections:
Organizations should ensure their devices receive timely firmware updates, especially from the vendors with active CVEs targeted in this campaign. Network segmentation and strict access controls should also be implemented to limit lateral movement and isolate vulnerable or legacy IoT systems.
Link(s):
https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices
Fortinet has uncovered details of a new malware, dubbed “ShadowV2,” that is propagating via the exploitation of vulnerabilities across devices from vendors including D-Link, TP-Link, DDWRT, DigiEver, and TBK. ShadowV2 is believed to have been developed based on the architecture of an existing Mirai variant and designed for IoT devices. Based on observations made, the malware leverages at least eight vulnerabilities in several IoT products for initial access:
- DDWRT: CVE-2009-2765
- D-Link: CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915
- DigiEver: CVE-2023-52163
- TBK: CVE-2024-3721
- TP-Link: CVE-2024-53375
Security Officer Comments:
According to Fortinet, ShadowV2 activity was spotted during the major AWS outage in October. Although the two incidents aren’t related, researchers note that the botnet was only active for the duration of the outage, indicating that ShadowV2 was deployed as a test run rather than a full operational campaign. Despite ShadowV2 being observed only during the AWS outage period, its impact was widespread, with attacks observed in North and South America, Europe, Africa, Asia, and Australia. The attacks originated from 198[.]199[.]72[.]27, targeting routers, NAS devices, and DVRs across seven sectors, including government, technology, manufacturing, managed security service providers (MSSPs), telecommunications, and education.
Suggested Corrections:
Organizations should ensure their devices receive timely firmware updates, especially from the vendors with active CVEs targeted in this campaign. Network segmentation and strict access controls should also be implemented to limit lateral movement and isolate vulnerable or legacy IoT systems.
Link(s):
https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices