ShadowV2 Strikes: How the Botnet Malware Exploited the AWS Outage for Testing

New ShadowV2 Botnet Malware Targets IoT Devices

A new strain of Mirai-based botnet malware, dubbed ‘ShadowV2,’ has recently been detected exploiting vulnerabilities in IoT devices from various manufacturers such as D-Link and TP-Link. This malicious software was first observed by researchers at Fortinet’s FortiGuard Labs during a significant AWS outage in October, although the two events are not directly linked. The botnet’s activity coincided with the outage, suggesting that it may have been a test run to assess its capabilities.

ShadowV2 exploits at least eight known vulnerabilities in multiple IoT products, including devices from DD-WRT, D-Link, DigiEver, TBK, and TP-Link. Of particular concern is CVE-2024-10914, a command injection flaw affecting end-of-life D-Link devices that the vendor has decided not to patch. Similarly, CVE-2024-10915 remains unaddressed for impacted models, despite a report highlighting its exploitation in November 2024.

In response to these vulnerabilities, D-Link has updated its advisories to warn users about the risks associated with end-of-life or end-of-support devices. While some flaws have been addressed through firmware updates, others, like CVE-2024-10915, remain unresolved.

Fortinet’s researchers have traced the ShadowV2 attacks back to a specific IP address and identified the botnet’s global impact across various sectors, including government, technology, manufacturing, and education. The malware, identified as “ShadowV2 Build v1.0.0 IoT version,” shares similarities with the Mirai LZRD variant and is distributed through a downloader script that retrieves it from a remote server.

ShadowV2 is capable of launching distributed denial-of-service (DDoS) attacks on UDP, TCP, and HTTP protocols, with different flood types for each. The malware’s command-and-control (C2) infrastructure enables threat actors to trigger these attacks by sending commands to compromised devices.

While the monetization strategy behind ShadowV2 remains unclear, DDoS botnets typically generate revenue by renting out their firepower to cybercriminals or extorting targets for payment to halt attacks. Fortinet has shared indicators of compromise (IoCs) to help organizations identify and mitigate this emerging threat, emphasizing the importance of keeping IoT device firmware up to date.

Protecting Against ShadowV2

As the cybersecurity landscape evolves, staying ahead of emerging threats like ShadowV2 is crucial. Implementing best practices, such as keeping firmware updated and following security guidelines, can help safeguard IoT devices against malicious actors. Organizations are encouraged to stay vigilant and proactive in securing their network infrastructure to mitigate the risks posed by sophisticated malware like ShadowV2.

For additional resources and information on cybersecurity best practices, download our free cheat sheet on securing IoT devices with Model Context Protocol (MCP). This comprehensive guide outlines seven essential steps to enhance the security of connected devices and protect against evolving threats.