Researchers have discovered a new variant of the infamous Mirai Internet of Things botnet, which this time targets embedded devices intended for use in business environments in an attempt to seize control of greater bandwidth and launch devastating DDoS attacks.
Even though the original developers of the Mirai botnet have been arrested and imprisoned, variants of the infamous IoT malware, such as Satori and Okiru, continue to emerge due to the availability of its source code on the Internet since 2016.
Mirai is a well-known IoT botnet malware that emerged in 2016 and is capable of infecting routers, security cameras, DVRs, and other smart devices that typically use default credentials and run outdated versions of Linux. It then enslaves the compromised devices to form a botnet, which is then used to launch DDoS attacks.
New Mirai Variant Targets Enterprise Internet of Things Devices
Now, researchers from Palo Alto Network Unit 42 have identified the newest variant of Mirai, which targets enterprise-focused devices for the first time, including WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs.
The Mirai variant adds eleven new exploits to its “multi-exploit battery” for a total of twenty-seven exploits, as well as a new set of “unusual default credentials” for brute force attacks against Internet-connected devices.
“These new features provide the botnet with a large attack surface,” Unit 42 researchers wrote in a Monday blog post. “Targeting enterprise links in particular grants the botnet access to larger bandwidth, resulting in greater firepower for DDoS attacks.”
While an exploit for remote code execution in LG Supersign televisions (CVE-2018-17173) was released in September of last year, exploit code for a command-injection flaw in the WePresent WiPG-1000 was published in 2017.
In addition to these two exploits, the new Mirai variant targets diverse embedded hardware, including:
- Linksys routers
- ZTE routers
- DLink routers
- Network Storage Devices
- NVRs and IP cameras
After identifying and scanning for vulnerable devices, the malware retrieves the new Mirai payload from a compromised website and downloads it on a target device, which is then added to the botnet network and can be used to launch HTTP Flood DDoS attacks.
The infamous botnet Mirai was responsible for record-breaking DDoS attacks, including those against France-based hosting provider OVH and Dyn DNS service, which crippled some of the world’s largest websites, including Twitter, Netflix, Amazon, and Spotify.
After its source code was made public in October 2016, Mirai-based attacks experienced a sudden increase, allowing attackers to upgrade the malware threat with newly disclosed exploits according to their needs and targets.
“These [new] developments highlight the importance for businesses to be aware of the IoT devices on their network, change default passwords, and ensure devices are patched to the most recent version,” researchers said.
“As a last resort, remove from the network any devices that cannot be patched.”
So what’s the takeaway? Ensure that you change the default passwords for your internet-connected devices as soon as you bring them home or to the office, and that you always install the latest security patches.