Recent investigations by security experts have identified a new strain of the notorious Mirai Internet of Things (IoT) botnet, specifically targeting embedded devices used in business environments. This development raises significant concerns as it aims to acquire larger bandwidth for executing large-scale Distributed Denial of Service (DDoS) attacks.
Though the original architects of the Mirai botnet have faced legal repercussions and imprisonment, the legacy of the botnet continues through its various derivatives. Notable variants such as Satori and Okiru have emerged, fueled by the availability of Mirai’s source code released online in 2016. This ongoing evolution underscores the persistent threat posed by IoT malware, as it adapts to exploit new vulnerabilities.
The latest variant, identified by Palo Alto Networks’ Unit 42, marks a significant shift in focus, as it now targets enterprise-specific devices, including WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs. The updated Mirai variant incorporates an additional eleven exploits to its arsenal, increasing its total to twenty-seven, along with a new set of unconventional default credentials designed for brute-force attacks against internet-connected devices.
Unit 42 highlighted the broader implications of these advancements in a blog post, stating, “These new features afford the botnet a large attack surface.” By targeting enterprise infrastructure, this variant also gains access to higher bandwidth, greatly enhancing its DDoS attack capabilities.
Among the vulnerabilities exploited by this iteration of Mirai is a remote code execution flaw for LG Supersign TVs (CVE-2018-17173) revealed last September, alongside a command-injection vulnerability affecting the WePresent WiPG-1000 disclosed in 2017. Furthermore, the botnet is targeting a range of embedded systems, including Linksys, ZTE, and DLink routers, as well as network storage devices and IP cameras.
When the malware scans and identifies susceptible devices, it retrieves the updated Mirai payload from hacked websites before installing itself on the target, integrating the device into a growing network of compromised systems ready to launch HTTP Flood DDoS operations.
The Mirai botnet has previously been linked to some of the most significant DDoS incidents, including attacks on the France-based hosting provider OVH and the Dyn DNS service. These incidents crippled major online platforms like Twitter, Netflix, Amazon, and Spotify, highlighting the catastrophic impact that such threats can have.
Since the public release of Mirai’s source code in October 2016, there has been a notable uptick in Mirai-based attacks. This release enabled cybercriminals to exploit various vulnerabilities tailored to their specific targets, amplifying the risk associated with IoT devices that often operate with default settings.
Palo Alto researchers emphasize the crucial need for enterprises to remain vigilant concerning IoT devices on their networks. They recommend changing default passwords, ensuring all devices are updated with the latest security patches, and if unpatchable, removing such devices entirely from the network.
The situation calls for immediate attention from business owners, highlighting the importance of proactive security measures in mitigating the risks associated with the evolving landscape of IoT threats. As cybersecurity challenges continue to escalate, organizations are urged to take decisive action to fortify their network defenses and protect their sensitive data.
In summary, changing default passwords and maintaining updated systems are essential steps for safeguarding against the lurking dangers of the Mirai botnet and its variants, which pose a continued threat to the integrity of enterprise networks and online services.
