Mirai Botnet Upgraded
Written by Karolis Liucveikis on (updated)
Recently published research shows that the infamous Mirai botnet has been upgraded to attack to new classes of Internet of Things (IoT) devices, those been smart signage TVs and wireless presentation systems. This at first glance does not appear to be a major revelation, what is worrying is how the authors of Mirai appear to have spent a lot of time and effort into these upgrades. The upgrades center around the inclusion of new exploits which have been added to older versions of the botnet. With the rise of IoT devices so did the rise of botnets, a malware type which can be defined as a collection of internet-connected devices, which may include PCs, servers, mobile devices, and importantly for Mirai’s case internet of things devices that are infected and controlled by the malware. This creates a network which can be used by a malicious actor to send email spam, engage in click fraud campaigns, and generate malicious traffic for distributed denial-of-service (DDoS) attacks.
Palo Alto Networks, which has been tracking the new developments and published their findings, say that this new Mirai botnet uses 27 exploits, 11 of which are new to Mirai altogether, to break into smart IoT devices and networking equipment. In conjunction with the inclusion of new exploits, the botnet operator has also expanded Mirai's built-in list of default credentials that the malware is using to break into devices that use default passwords. Four new username and password combos have been added to Mirai's considerable list of default credentials. While the botnet has gone through a list of improvements its goal is the same, that being to infect devices via scanning the internet for other IoT devices with exposed Telnet ports and use the default credentials to break in and take over these new devices. The malware is also capable of scanning the Internet for specific types of devices where one of the 27 exploits could be used to infect that device.
In the past, Mirai was used to target routers, modems, security cameras, and DVRs/NVRs as its main priority. This did not mean other devices were not affected by the malware, in rare cases, Mirai malware has ended up on smart TVs, smartphones, and some enterprise Linux and Apache Struts servers. The latest version, according to researchers, has been intentionally targeting two new devices with exploits crafted specifically for that purpose. These new devices targeted are LG Supersign signage TVs and WePresent WiPG-1000 wireless presentation systems. The two exploits used have been available online for months, however, it is believed that this is the first time the exploits have been weaponized. The exploit affecting the LG Supersign has shown that the device is vulnerable to remote code execution mainly due to improper parameter holding. The wireless presentation system exploits is detailed to be vulnerable to command injection attacks. Researchers said that,
“These new features afford the botnet a large attack surface. In particular, targeting enterprise links also grants it access to larger bandwidth, ultimately resulting in greater firepower for the botnet for DDoS attacks. The previous instance where we observed the botnet targeting enterprise vulnerabilities was with the incorporation of exploits against Apache Struts and SonicWall.”
One of the interesting aspects of the latest campaign is that the shell script is still alive and been hosted at a compromised website for an electronic security, integration and alarm monitoring business in Colombia. Researchers concluded that,
“IoT/Linux botnets continue to expand their attack surface, either by the incorporation of multiple exploits targeting a plethora of devices, or by adding to the list of default credentials they brute-force, or both. In addition, targeting enterprise vulnerabilities allows them access to links with a potentially larger bandwidth than consumer device links, affording them greater firepower for DDoS attacks.”
In 2016, Mirai was thrust into the public’s domain when a massive distributed denial of service (DDoS) attack left much of the internet inaccessible on the US east coast. The attack, which authorities initially feared was the work of a hostile nation-state, was, in fact, the work of the Mirai botnet. The attack did not intend to knock out the internet for such a vast area, rather it aimed to make a little money off of Minecraft players but what started out humbly avalanched. Minecraft was the target because there's good money to be made in hosting Minecraft game servers, which leads to running skirmishes in which hosts launch DDoS attacks against their rivals, hoping to knock their servers offline and attract their business.
The unintentional knocking out of the US east coast would result in the original creators of Mirai pleading guilty to charges in December 2016. This would not be the end of the Mirai story as the source code was released into the wild. This resulted in a massive uptick in of malware authors continually upgrading the original source code to make it harder for authorities and researchers to combat. While Mirai continually evolves it is reliant on brute force attacks to compromise devices. This admins and users can prevent by changing IoT device passwords to something more robust and definitely not using the default credentials the device came with. Further, Mirai stores itself in memory, rebooting the device is enough to purge any potential infection but it is advised to change the password first as Mirai can quickly infect a device after a reboot.
Like with many other malware families protecting against Mirai can be done by individuals with relative ease. Hacker’s know that this is not often done, how many times to users and employees skip the need to update systems and software because it is not convenient at that time. When better security practices are adopted along with a comprehensive antivirus package life is made far harder for hackers.
▼ Show Discussion