Vulnerable perimeter devices remain a popular target, and we do see consistent exploit attempts against them. This weekend, Guy wrote about some scans for Fortinet vulnerabilities , and Xavier notes that Crowdstrike observed attacks against EoL Sonicwalls . Starting earlier this month, we did also observe a consistent trickle of requests looking for a relatively recent Sonicwall vulnerability:
These requests started about a week ago and appeared to originate from a botnet associated loosely with the "Mirai" family.
These requests appear to be looking for exposed devices that may be vulnerable to, get this: Shellshock! Shellshock is not a new vulnerability. First discovered in 2014 and heavily exploited ever since. Sonicwall fixed the problem in 2015 with firmware release SMA 126.96.36.199. But according to some more recent blog posts, there appear to be plenty of unpatched targets, and it looks like at least one botnet added this exploit to its repertoire.
The same botnet is also scanning for these vulnerabilities:
The attackers do appear to attempt to install a version of Mirai .
A quick scan of the UPX compressed binary downloaded by these attempts shows that this botnet may have some additional tricks up its sleeve. For example:
This request appears to be targeting a recently disclosed vulnerability in Tenda AC11 Routers (CVE-2021-31755) 
Another request looks like an exploit for CVE-2021-27561/27562 affecting Yealink Device Management.
here is a complete list of the GET/POST requests found in the binary:
Jun 15th 2021
|Thread locked Subscribe||
Jun 15th 2021
1 year ago