{"id":95751,"date":"2021-08-19T11:00:46","date_gmt":"2021-08-19T18:00:46","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=95751"},"modified":"2023-09-11T15:53:35","modified_gmt":"2023-09-11T22:53:35","slug":"how-to-proactively-defend-against-mozi-iot-botnet","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/08\/19\/how-to-proactively-defend-against-mozi-iot-botnet\/","title":{"rendered":"How to proactively defend against Mozi IoT botnet"},"content":{"rendered":"<p>Mozi is a peer-to-peer (P2P) botnet that uses a BitTorrent-like network to infect IoT devices such as network gateways and digital video records (DVRs). It works by exploiting weak telnet passwords<sup>1<\/sup> and nearly a dozen unpatched IoT vulnerabilities<sup>2<\/sup> and it\u2019s been used to conduct distributed denial-of-service (DDoS) attacks, data exfiltration, and command or payload execution<sup>3<\/sup>.<\/p>\n<p>While the botnet itself is not new, Microsoft\u2019s IoT security researchers recently discovered that Mozi has evolved to achieve persistence on network gateways manufactured by Netgear, Huawei, and ZTE. It does this using clever persistence techniques that are specifically adapted to each gateway\u2019s particular architecture.<\/p>\n<p>Network gateways are a particularly juicy target for adversaries because they are ideal as initial access points to corporate networks. Adversaries can search the internet for vulnerable devices via scanning tools like Shodan, infect them, perform reconnaissance, and then move laterally to compromise higher value targets\u2014including information systems and critical industrial control system (ICS) devices in the operational technology (OT) networks.<\/p>\n<p>By infecting routers, they can perform man-in-the-middle (MITM) attacks\u2014via HTTP hijacking and DNS spoofing\u2014to compromise endpoints and deploy ransomware or cause safety incidents in OT facilities. In the diagram below we show just one example of how the vulnerabilities and newly discovered persistence techniques could be used together. Of course, there are many more possibilities.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-95778\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Mozi-attack-flow.png\" alt=\"Attack flow for Mozi botnet.\" width=\"800\" height=\"450\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Mozi-attack-flow.png 800w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Mozi-attack-flow-300x169.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Mozi-attack-flow-768x432.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Mozi-attack-flow-687x385.png 687w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Mozi-attack-flow-767x431.png 767w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Mozi-attack-flow-539x303.png 539w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/p>\n<p><em>Figure 1: Attack flow for Mozi botnet.<\/em><\/p>\n<h2>Guidance: Proactive defense<\/h2>\n<p>Businesses and individuals that are using impacted network gateways (Netgear, Huawei, and ZTE) should take the following steps immediately to ensure they are resistant to the attacks described in this blog:<\/p>\n<ol>\n<li>Ensure all passwords used on the device are created using <a href=\"https:\/\/support.microsoft.com\/en-us\/windows\/create-and-use-strong-passwords-c5cebb49-8c53-4f5e-2bc4-fe357ca048eb\" target=\"_blank\" rel=\"noopener\">strong password best practices<\/a>.<\/li>\n<li>Ensure devices are patched and up-to-date.<\/li>\n<\/ol>\n<p>Doing so will reduce the attack surfaces leveraged by the botnet and prevent attackers from getting into a position where they can use the newly discovered persistence and other exploit techniques described in more detail below.<\/p>\n<p>The intelligence of our security cloud and all of our Microsoft Defender products, including <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/threat-protection\/microsoft-365-defender\" target=\"_blank\" rel=\"noopener\">Microsoft 365<\/a><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/threat-protection\/microsoft-365-defender\" target=\"_blank\" rel=\"noopener\">\u00a0Defender<\/a> (XDR), <a href=\"https:\/\/azure.microsoft.com\/en-us\/services\/azure-sentinel\/\" target=\"_blank\" rel=\"noopener\">Azure Sentinel<\/a> (cloud-native SIEM\/SOAR), as well as <a href=\"https:\/\/azure.microsoft.com\/en-us\/services\/azure-defender-for-iot\/\" target=\"_blank\" rel=\"noopener\">Azure Defender for IoT<\/a> also provide protection from this malware and are continuously updated with the latest threat intelligence as the threat landscape continues to evolve. The recent <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/07\/12\/microsoft-to-acquire-riskiq-to-strengthen-cybersecurity-of-digital-transformation-and-hybrid-work\/\" target=\"_blank\" rel=\"noopener\">acquisition of ReFirm Labs<\/a> will further enhance Azure Defender for IoT\u2019s ability to protect customers with its upcoming deep firmware scanning, analysis capabilities which will be integrated with <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/iot-hub-device-update\/understand-device-update\" target=\"_blank\" rel=\"noopener\">Device Update for Azure IoT Hub\u2019s<\/a> patching capabilities.<\/p>\n<h2>Technical description of new persistence capabilities<\/h2>\n<p>Apart from its known extensive P2P and DDoS abilities, we have recently observed several new and unique capabilities of the Mozi botnet.<\/p>\n<p>Targeting Netgear, Huawei, and ZTE gateways, the malware now takes specific actions to increase its chances of survival upon reboot or any other attempt by other malware or responders to interfere with its operation. Here are some examples:<\/p>\n<h3>Achieving privileged persistence<\/h3>\n<p>A specific check is conducted for the existence of the <strong>\/overlay<\/strong> folder, and whether the malware does not have write permissions to the folder <strong>\/etc<\/strong>. In this case, it will try to exploit <strong><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2015-1328\" target=\"_blank\" rel=\"noopener\">CVE-2015-1328<\/a><\/strong>.<\/p>\n<p>Successful exploitation of the vulnerability will grant the malware access to the following folders:<\/p>\n<ul>\n<li>\/etc\/rc.d<\/li>\n<li>\/etc\/init.d<\/li>\n<\/ul>\n<p>Then the following actions are taken:<\/p>\n<ul>\n<li>It places the script file named <strong>S95Baby.sh<\/strong> in these folders.<\/li>\n<li>The script runs the files <strong>\/usr\/networks<\/strong> or <strong>\/user\/networktmp<\/strong>. These are copies of the executable.<\/li>\n<li>It adds the script to <strong>\/etc\/rcS.d<\/strong> and <strong>\/etc\/rc.loca<\/strong>l in case it lacks privileges.<\/li>\n<\/ul>\n<h3>ZTE devices<\/h3>\n<p>A specific check is conducted for the existence of the <strong>\/usr\/local\/ct<\/strong> folder; this serves as an indicator of the device being a ZTE modem\/router device.<\/p>\n<p>The following actions are taken:<\/p>\n<ul>\n<li>It copies its other instance <strong>(\/usr\/networks)<\/strong> to <strong>\/usr\/local\/ct\/ctadmin0<\/strong>; this provides persistency for the malware.<\/li>\n<li>It deletes the file <strong>\/home\/httpd\/web_shell_cmd.gch<\/strong>. This file can be used to gain access through exploitation of the vulnerability <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2014-2321\" target=\"_blank\" rel=\"noopener\"><strong>CVE-2014-2321<\/strong><\/a>; deleting it prevents future attacks.<\/li>\n<li>It executes the following commands. These disable <strong>Tr-069<\/strong> and its ability to connect to auto-configuration server (ACS). <strong>Tr-069<\/strong> is a protocol for remote configuration of network devices; it\u2019s usually utilized by service providers to configure customers\u2019 equipment.<\/li>\n<\/ul>\n<pre style=\"padding-left: 80px;\">sendcmd 1 DB set MgtServer 0 Tr069Enable 1 \r\nsendcmd 1 DB set PdtMiddleWare 0 Tr069Enable 0 \r\nsendcmd 1 DB set MgtServer 0 URL http:\/\/127.0.0.1 \r\nsendcmd 1 DB set MgtServer 0 UserName notitms \r\nsendcmd 1 DB set MgtServer 0 ConnectionRequestUsername notitms \r\nsendcmd 1 DB set MgtServer 0 PeriodicInformEnable 0 \r\nsendcmd 1 DB save<\/pre>\n<h3>Huawei devices<\/h3>\n<p>Execution of the following commands changes the password and disables the management server for Huawei modem\/router devices. It also prevents others from gaining access to the device through the management server.<\/p>\n<pre style=\"padding-left: 80px;\">cfgtool set \/mnt\/jffs2\/hw_ctree.xml \r\nInternetGatewayDevice.ManagementServer URL http:\/\/127.0.0.1\r\ncfgtool set \/mnt\/jffs2\/hw_ctree.xml \r\nInternetGatewayDevice.ManagementServer ConnectionRequestPassword acsMozi<\/pre>\n<p>To provide an additional level of persistence it also creates the following files if needed and appends an instruction to run its copy from <strong>\/usr\/networks<\/strong>.<\/p>\n<pre style=\"padding-left: 80px;\">\/mnt\/jffs2\/Equip.sh\r\n\/mnt\/jffs2\/wifi.sh\r\n\/mnt\/jffs2\/WifiPerformance.sh<\/pre>\n<h3>Preventing remote access<\/h3>\n<p>The malware blocks the following TCP ports:<\/p>\n<ul>\n<li>23\u2014Telnet<\/li>\n<li>2323\u2014Telnet alternate port<\/li>\n<li>7547\u2014Tr-069 port<\/li>\n<li>35000\u2014Tr-069 port on Netgear devices<\/li>\n<li>50023\u2014Management port on Huawei devices<\/li>\n<li>58000\u2014Unknown usage<\/li>\n<\/ul>\n<p>These ports are used to gain remote access to the device. Shutting them increases the malware\u2019s chances of survival.<\/p>\n<h3>Script infector<\/h3>\n<p>It scans for <strong>.sh<\/strong> files in the filesystem, excluding the following paths:<\/p>\n<pre style=\"padding-left: 80px;\">\/tmp \/dev \/var \/lib \/haha \/proc \/sys<\/pre>\n<p>It also appends a line to each file. The line instructs the script to run a copy of the malware from <strong>\/usr\/networks<\/strong>. This increases its chances of survival on various devices.<\/p>\n<h3>Traffic injection and DNS spoofing capabilities<\/h3>\n<p>The malware receives commands from its distributed hash table (DHT) network. The latter is a P2P protocol for decentralized communications. The commands are received and stored in a file, of which parts are encrypted. This module works only on devices capable of IPv4 forwarding. It checks whether <strong>\/proc\/sys\/net\/ipv4\/ip_forward<\/strong> is set to 1; such positive validation is characteristic of routers and gateways. This module works on ports UDP 53 (DNS) and TCP 80 (HTTP).<\/p>\n<h3>Configuration commands<\/h3>\n<p>Apart from the previously documented commands in Table 1\u2014for more information, read <a href=\"https:\/\/malware.news\/t\/a-new-botnet-attack-just-mozied-into-town\/43210\" target=\"_blank\" rel=\"noopener\">A New Botnet Attack Just Mozied Into Town<\/a>\u2014we also discovered these commands:<\/p>\n<pre style=\"padding-left: 80px;\">[hi] \u2013 Presence of the command indicates it needs to use the MiTM module.\r\n[set] \u2013 Contains encrypted portion which describes how to use the MiTM module.<\/pre>\n<figure class=\"wp-block-table\">\n<table>\n<tbody>\n<tr>\n<td><strong>Command<\/strong><\/td>\n<td><strong>Description<\/strong><\/td>\n<\/tr>\n<tr>\n<td><strong>[ss]<\/strong><\/td>\n<td>Bot role<\/td>\n<\/tr>\n<tr>\n<td><strong>[ssx]<\/strong><\/td>\n<td>enable\/disable tag [ss]<\/td>\n<\/tr>\n<tr>\n<td><strong>[cpu]<\/strong><\/td>\n<td>CPU architecture<\/td>\n<\/tr>\n<tr>\n<td><strong>[cpux]<\/strong><\/td>\n<td>enable\/disable tag [cpu]<\/td>\n<\/tr>\n<tr>\n<td><strong>[nd]<\/strong><\/td>\n<td>new DHT node<\/td>\n<\/tr>\n<tr>\n<td><strong>[hp]<\/strong><\/td>\n<td>DHT node hash prefix<\/td>\n<\/tr>\n<tr>\n<td><strong>[atk]<\/strong><\/td>\n<td>DDoS attack type<\/td>\n<\/tr>\n<tr>\n<td><strong>[ver]<\/strong><\/td>\n<td>Value in V section in DHT protocol<\/td>\n<\/tr>\n<tr>\n<td><strong>[sv]<\/strong><\/td>\n<td>Update config<\/td>\n<\/tr>\n<tr>\n<td><strong>[ud]<\/strong><\/td>\n<td>Update bot<\/td>\n<\/tr>\n<tr>\n<td><strong>[dr]<\/strong><\/td>\n<td>Download and execute payload from the specified URL<\/td>\n<\/tr>\n<tr>\n<td><strong>[rn]<\/strong><\/td>\n<td>Execute specified command<\/td>\n<\/tr>\n<tr>\n<td><strong>[dip]<\/strong><\/td>\n<td>ip:port to download Mozi bot<\/td>\n<\/tr>\n<tr>\n<td><strong>[idp]<\/strong><\/td>\n<td>report bot<\/td>\n<\/tr>\n<tr>\n<td><strong>[count]<\/strong><\/td>\n<td>URL that used to report bot<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p><em>Table 1. Previously documented Mozi commands.<\/em><\/p>\n<h3>DNS spoofing<\/h3>\n<p>Mozi receives a very simple list of DNS names which are then spoofed. Its structure is as follows:<\/p>\n<pre style=\"padding-left: 80px;\">&lt;DNS to spoof&gt;:&lt;IP to spoof&gt;<\/pre>\n<p>Each DNS request is answered with the spoofed IP. This is an efficient technique to redirect traffic to the attackers\u2019 infrastructure.<\/p>\n<h3>HTTP session hijacking<\/h3>\n<p>This part of the MITM functionality is responsible for hijacking HTTP sessions. Not every HTTP request is processed. There are several conditions for it to be qualified for hijacking, most of which are meant to restrict the module\u2019s \u201clevel of noise\u201d to lower the chances of it being discovered by network defenders.<\/p>\n<p>The following are some of the rules:<\/p>\n<ul>\n<li>It works only for HTTP GET requests. This means forms and more complex requests are ignored.<\/li>\n<li>A random number in the configuration states how many queries it would inject. This shows the attackers understand the importance of hiding this functionality. In other words, they are lowering its footprint in order to avoid alerting the user of the hijacking.<\/li>\n<li>Some domains are ignored, most likely to avoid interference with the normal operation of certain types of equipment or to avoid detection by various security countermeasures.<\/li>\n<li>It only spoofs external traffic; HTTP requests inside the LAN are ignored.<\/li>\n<li>A test is conducted to validate that the URL doesn\u2019t contain the string <strong>\u201cveri=20190909\u201d<\/strong>\u2014this is done to prevent injecting the already-injected pages.<\/li>\n<li>It returns a random HTTP response derived from a predefined list of responses. It has nine different types of hijacking; the specific type of hijacking and its parameters are derived from the configuration file. Below are a few examples of these hijacking techniques.<\/li>\n<li>Some of the spoofing occurs via redirection using the HTTP Location header, as seen below.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-95826 size-full\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Spoofing-via-HTTP.png\" alt=\"Spoofing via redirection using the HTTP Location header. This should automatically redirect without any user interaction.\" width=\"511\" height=\"245\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Spoofing-via-HTTP.png 511w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Spoofing-via-HTTP-300x144.png 300w\" sizes=\"(max-width: 511px) 100vw, 511px\" \/><\/p>\n<p><em>Example 1: Spoofing via redirection using the HTTP Location header. This should automatically redirect without any user interaction.<\/em><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-95829\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Hijacking-method-javascript.png\" alt=\"A hijacking method which only injects JavaScript; it is designed for ajax calls that evaluate the response, so this hijack method will inject a new script into the page.\" width=\"511\" height=\"245\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Hijacking-method-javascript.png 511w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Hijacking-method-javascript-300x144.png 300w\" sizes=\"(max-width: 511px) 100vw, 511px\" \/><\/p>\n<p><em>Example 2: A hijacking method that only injects JavaScript; it is designed for ajax calls that evaluate the response, so this hijack method will inject a new script into the page.<\/em><\/p>\n<h2>Protecting from Mozi Malware<\/h2>\n<p>It is important to note that Microsoft Security solutions have already been updated to protect, detect, and respond to Mozi and its enhanced capabilities.<\/p>\n<p>Customers can use the network device discovery capabilities found in <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/threat-protection\/endpoint-defender\" target=\"_blank\" rel=\"noopener\">Microsoft Defender for Endpoint<\/a> to discover impacted internet gateways on their IT networks and run vulnerability assessments. Additionally, the agentless network-layer capabilities of <a href=\"https:\/\/azure.microsoft.com\/en-us\/services\/azure-defender-for-iot\/\" target=\"_blank\" rel=\"noopener\">Azure Defender for IoT<\/a> can be used to perform continuous asset discovery, vulnerability management, and threat detection for IoT and OT devices on their OT networks. This solution can be rapidly deployed (typically less than one day per site), and it is available for both on-premises and cloud-connected environments.<\/p>\n<p>Defender for IoT is also tightly integrated with <a href=\"https:\/\/azure.microsoft.com\/en-in\/services\/azure-sentinel\/\" target=\"_blank\" rel=\"noopener\">Azure Sentinel<\/a>, which provides a bird\u2019s eye view across your entire enterprise\u2014leveraging AI and automated playbooks to detect and respond to multi-stage attacks that often cross IT and OT boundaries.<\/p>\n<p>In addition to detecting targeted attacks and living-off-the-land (LOTL) tactics via IoT\/OT-aware behavioral analytics, Defender for IoT incorporates threat information derived from trillions of signals analyzed daily by Microsoft\u2019s global team of security experts using AI and machine learning. This helps ensure our customers are continuously protected against both new and existing threats.<\/p>\n<p>While we offer many solutions, it remains critical that each of the recommendations in the &#8220;Guidance: Proactive defense&#8221; section above be implemented on the impacted internet gateways to prevent them from becoming a vector of attack.<\/p>\n<p>To learn more about how our integrated SIEM\/XDR solutions, combined with Azure Defender for IoT, can help secure your organization, please refer to the following resources:<\/p>\n<ul>\n<li><a href=\"https:\/\/azure.microsoft.com\/en-us\/services\/azure-defender-for-iot\/\" target=\"_blank\" rel=\"noopener\">Azure Defender for IoT<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/defender-for-iot\/organizations\/overview\" target=\"_blank\" rel=\"noopener\">Overview of Azure Defender for IoT<\/a><\/li>\n<li><a href=\"https:\/\/azure.microsoft.com\/en-us\/services\/azure-sentinel\/\" target=\"_blank\" rel=\"noopener\">Azure Sentinel<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/sentinel\/overview\" target=\"_blank\" rel=\"noopener\">Overview of Azure Sentinel<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/threat-protection\/microsoft-365-defender\" target=\"_blank\" rel=\"noopener\">Microsoft 365 Defender<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/security\/defender\/microsoft-365-defender?view=o365-worldwide\" target=\"_blank\" rel=\"noopener\">Overview of Microsoft 365 Defender<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/device-discovery?view=o365-worldwide\" target=\"_blank\" rel=\"noopener\">Device discovery overview for Microsoft Defender for Endpoint and Microsoft 365 Defender<\/a><\/li>\n<\/ul>\n<p>To learn more about Microsoft Security solutions,\u00a0<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/solutions\" target=\"_blank\" rel=\"noopener\">visit our\u00a0website<\/a>.\u00a0Bookmark the\u00a0<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\" target=\"_blank\" rel=\"noopener\">Security blog<\/a>\u00a0to keep up with our expert coverage on security matters. Also, follow us at\u00a0<a href=\"https:\/\/twitter.com\/@MSFTSecurity\" target=\"_blank\" rel=\"noopener\">@MSFTSecurity<\/a>\u00a0for the latest news and updates on cybersecurity.<\/p>\n<p>&nbsp;<\/p>\n<hr \/>\n<p><sup>1<\/sup><a href=\"https:\/\/blog.netlab.360.com\/mozi-another-botnet-using-dht\/\" target=\"_blank\" rel=\"noopener\">Mozi, Another Botnet Using DHT<\/a>, Alex Turing, Hui Wang, NetLab 360, 23 December 2019.<\/p>\n<p><sup>2<\/sup><a href=\"https:\/\/www.cyberswachhtakendra.gov.in\/alerts\/MoziIoTBotnet.html\" target=\"_blank\" rel=\"noopener\">Mozi IoT Botnet<\/a>, CERT-In, Ministry of Electronics and Information Technology Government of India, 12 November 2020.<\/p>\n<p><sup>3<\/sup><a href=\"https:\/\/blog.lumen.com\/new-mozi-malware-family-quietly-amasses-iot-bots\/\" target=\"_blank\" rel=\"noopener\">New Mozi Malware Family Quietly Amasses IoT Bots<\/a>, Black Lotus Labs, Lumen, 13 April 2020.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Mozi is a peer-to-peer (P2P) botnet that uses a BitTorrent-like network to infect IoT devices such as network gateways and digital video records (DVRs). It works by exploiting weak telnet passwords1 and nearly a dozen unpatched IoT vulnerabilities2 and it\u2019s been used to conduct distributed denial-of-service (DDoS) attacks, data exfiltration, and command or payload execution.<\/p>\n","protected":false},"author":106,"featured_media":95838,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3659],"topic":[3676,3685],"products":[3690,3693,3726],"threat-intelligence":[],"tags":[3921,3809],"coauthors":[2673,2676,2679],"class_list":["post-95751","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-best-practices","topic-iot-security","topic-siem-and-xdr","products-microsoft-defender","products-microsoft-defender-xdr","products-microsoft-sentinel","tag-living-off-the-land","tag-security-strategies"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How to proactively defend against Mozi IoT botnet | Microsoft Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/08\/19\/how-to-proactively-defend-against-mozi-iot-botnet\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to proactively defend against Mozi IoT botnet | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"Mozi is a peer-to-peer (P2P) botnet that uses a BitTorrent-like network to infect IoT devices such as network gateways and digital video records (DVRs). It works by exploiting weak telnet passwords1 and nearly a dozen unpatched IoT vulnerabilities2 and it\u2019s been used to conduct distributed denial-of-service (DDoS) attacks, data exfiltration, and command or payload execution.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/08\/19\/how-to-proactively-defend-against-mozi-iot-botnet\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-08-19T18:00:46+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-09-11T22:53:35+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Win17_CDOC_1039.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"827\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"David Atch, Gil Regev, Ross Bevington\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Win17_CDOC_1039.jpg\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"David Atch, Gil Regev, Ross Bevington\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/08\/19\/how-to-proactively-defend-against-mozi-iot-botnet\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/08\/19\/how-to-proactively-defend-against-mozi-iot-botnet\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/david-atch\/\",\"@type\":\"Person\",\"@name\":\"David Atch\"},{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/gil-regev\/\",\"@type\":\"Person\",\"@name\":\"Gil Regev\"},{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/ross-bevington\/\",\"@type\":\"Person\",\"@name\":\"Ross Bevington\"}],\"headline\":\"How to proactively defend against Mozi IoT botnet\",\"datePublished\":\"2021-08-19T18:00:46+00:00\",\"dateModified\":\"2023-09-11T22:53:35+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/08\/19\/how-to-proactively-defend-against-mozi-iot-botnet\/\"},\"wordCount\":1764,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/08\/19\/how-to-proactively-defend-against-mozi-iot-botnet\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Win17_CDOC_1039.jpg\",\"keywords\":[\"Living off the land\",\"Security strategies\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/08\/19\/how-to-proactively-defend-against-mozi-iot-botnet\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/08\/19\/how-to-proactively-defend-against-mozi-iot-botnet\/\",\"name\":\"How to proactively defend against Mozi IoT botnet | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/08\/19\/how-to-proactively-defend-against-mozi-iot-botnet\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/08\/19\/how-to-proactively-defend-against-mozi-iot-botnet\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Win17_CDOC_1039.jpg\",\"datePublished\":\"2021-08-19T18:00:46+00:00\",\"dateModified\":\"2023-09-11T22:53:35+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/08\/19\/how-to-proactively-defend-against-mozi-iot-botnet\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/08\/19\/how-to-proactively-defend-against-mozi-iot-botnet\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/08\/19\/how-to-proactively-defend-against-mozi-iot-botnet\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Win17_CDOC_1039.jpg\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Win17_CDOC_1039.jpg\",\"width\":1200,\"height\":827,\"caption\":\"Microsoft Cyber Defense Operations Center.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/08\/19\/how-to-proactively-defend-against-mozi-iot-botnet\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to proactively defend against Mozi IoT botnet\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to proactively defend against Mozi IoT botnet | Microsoft Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/08\/19\/how-to-proactively-defend-against-mozi-iot-botnet\/","og_locale":"en_US","og_type":"article","og_title":"How to proactively defend against Mozi IoT botnet | Microsoft Security Blog","og_description":"Mozi is a peer-to-peer (P2P) botnet that uses a BitTorrent-like network to infect IoT devices such as network gateways and digital video records (DVRs). It works by exploiting weak telnet passwords1 and nearly a dozen unpatched IoT vulnerabilities2 and it\u2019s been used to conduct distributed denial-of-service (DDoS) attacks, data exfiltration, and command or payload execution.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/08\/19\/how-to-proactively-defend-against-mozi-iot-botnet\/","og_site_name":"Microsoft Security Blog","article_published_time":"2021-08-19T18:00:46+00:00","article_modified_time":"2023-09-11T22:53:35+00:00","og_image":[{"width":1200,"height":827,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Win17_CDOC_1039.jpg","type":"image\/jpeg"}],"author":"David Atch, Gil Regev, Ross Bevington","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Win17_CDOC_1039.jpg","twitter_misc":{"Written by":"David Atch, Gil Regev, Ross Bevington","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/08\/19\/how-to-proactively-defend-against-mozi-iot-botnet\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/08\/19\/how-to-proactively-defend-against-mozi-iot-botnet\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/david-atch\/","@type":"Person","@name":"David Atch"},{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/gil-regev\/","@type":"Person","@name":"Gil Regev"},{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/ross-bevington\/","@type":"Person","@name":"Ross Bevington"}],"headline":"How to proactively defend against Mozi IoT botnet","datePublished":"2021-08-19T18:00:46+00:00","dateModified":"2023-09-11T22:53:35+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/08\/19\/how-to-proactively-defend-against-mozi-iot-botnet\/"},"wordCount":1764,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/08\/19\/how-to-proactively-defend-against-mozi-iot-botnet\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Win17_CDOC_1039.jpg","keywords":["Living off the land","Security strategies"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/08\/19\/how-to-proactively-defend-against-mozi-iot-botnet\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/08\/19\/how-to-proactively-defend-against-mozi-iot-botnet\/","name":"How to proactively defend against Mozi IoT botnet | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/08\/19\/how-to-proactively-defend-against-mozi-iot-botnet\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/08\/19\/how-to-proactively-defend-against-mozi-iot-botnet\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Win17_CDOC_1039.jpg","datePublished":"2021-08-19T18:00:46+00:00","dateModified":"2023-09-11T22:53:35+00:00","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/08\/19\/how-to-proactively-defend-against-mozi-iot-botnet\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/08\/19\/how-to-proactively-defend-against-mozi-iot-botnet\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/08\/19\/how-to-proactively-defend-against-mozi-iot-botnet\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Win17_CDOC_1039.jpg","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/08\/Win17_CDOC_1039.jpg","width":1200,"height":827,"caption":"Microsoft Cyber Defense Operations Center."},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/08\/19\/how-to-proactively-defend-against-mozi-iot-botnet\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"How to proactively defend against Mozi IoT botnet"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/95751"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/106"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=95751"}],"version-history":[{"count":0,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/95751\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/95838"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=95751"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=95751"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=95751"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=95751"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=95751"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=95751"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=95751"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}