The landscape of cybersecurity threats has reached unprecedented dimensions and is projected to escalate significantly in 2018. The original architects of the notorious Mirai DDoS botnet have been apprehended, yet variants of this infamous IoT malware continue to proliferate, largely due to the public availability of its source code on the web. Recent observations by security researchers reveal a new variant of the Mirai malware specifically engineered to compromise insecure devices operating on ARC embedded processors.
Until now, Mirai and its derivatives have predominantly focused on targeting various CPU architectures, including x86, ARM, Sparc, MIPS, PowerPC, and Motorola 6800, which are embedded in an extensive range of IoT devices. The newly identified variant, known as Okiru, was initially detected by a researcher affiliated with the MalwareMustDie team and has garnered attention from independent specialists. This ELF malware aims to exploit ARC-based embedded devices that utilize the Linux operating system.
As noted by the independent researcher, this is a historic development in computer engineering; it marks the first instance of malware targeting ARC CPUs. With over two billion ARC processor-based devices shipped annually, including those found in cameras, mobile phones, utility meters, televisions, flash drives, and automotive systems, the potential for widespread damage is substantial.
While Okiru is a Linux ELF-based variant, it is essential to note that it is distinct from another previously identified Mirai variant known as Satori. Despite surface similarities, Okiru presents unique characteristics and operational methods that differentiate it from its predecessor.
The consequences of Okiru’s emergence could shift the dynamics of DDoS attacks significantly. IoT devices are increasingly being integrated across a variety of settings—from homes and businesses to hospitals and smart cities—as their deployment surges. However, these devices often suffer from inadequate security protocols, making them ripe targets for cybercriminals looking to manipulate them into weapons for larger attacks.
Historically, the largest DDoS attack recorded, exceeding 1 Tbps, was executed using just 152,000 compromised IoT devices harnessed via the Mirai botnet. In another instance, 100,000 infected devices were sufficient to disrupt the operations of the well-known DynDNS service in late 2016. With Okiru’s capability to target a vast array of potentially vulnerable devices, the next wave of DDoS attacks could indeed set new records.
Given the introduction of ARC-based IoT devices into the botnet landscape, the increase in insecure devices could create favorable conditions for hackers. The MITRE ATT&CK framework categorizes potential tactics such as initial access through exploitation of vulnerabilities, leveraging persistence methods to maintain access to compromised devices, and executing privilege escalation techniques to maximize control over these systems.
As Okiru continues to evolve, stakeholders in the cybersecurity domain must remain vigilant to defend against the escalating threat landscape. The risk posed by this new variant is significant, demanding a proactive approach for businesses to fortify their defenses against these emerging cyber threats.
The influx of ARC-based devices into botnet operations not only raises significant concerns for security practices but also underscores the critical need for robust security measures to ensure that today’s technological advancements do not become tomorrow’s vulnerabilities.