Select Page

Security researchers have uncovered a new variant of the infamous Mirai Internet of Things botnet, this time targeting embedded devices intended for use within business environments in an attempt to gain control over larger bandwidth to carry out devastating DDoS attacks.

Although the original creators of Mirai botnet have already been arrested and jailed, variants of the infamous IoT malware, including Satori and Okiru, keep emerging due to the availability of its source code on the Internet since 2016.

First emerged in 2016, Mirai is well known IoT botnet malware that has the ability to infect routers, and security cameras, DVRs, and other smart devices—which typically use default credentials and run outdated versions of Linux—and enslaves the compromised devices to form a botnet, which is then used to conduct DDoS attacks.

New Mirai Variant Targets Enterprise IoT Devices

Now, Palo Alto Network Unit 42 researchers have spotted the newest variant of Mirai that’s for the first time targeting enterprise-focused devices, including WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs.

The Mirai variant adds 11 new exploits to its “multi-exploit battery,” making it a total of 27 exploits, as well as a new set of “unusual default credentials” to use in brute force attacks against Internet-connected devices.

“These new features afford the botnet a large attack surface,” Unit 42 researchers reported in a blog post published Monday. “In particular, targeting enterprise links also grants it access to larger bandwidth, ultimately resulting in greater firepower for the botnet for DDoS attacks.”

While a remote code execution exploit for LG Supersign TVs (CVE-2018-17173) was made available in September last year, attack code exploiting a command-injection vulnerability in the WePresent WiPG-1000 was published in 2017.

Besides these two exploits, the new Mirai variant is also targeting various embedded hardware like:

  • Linksys routers
  • ZTE routers
  • DLink routers
  • Network Storage Devices
  • NVRs and IP cameras

After scanning and identifying vulnerable devices, the malware fetches the new Mirai payload from a compromised website and downloads it on a target device, which is then added to the botnet network and eventually can be used to launch HTTP Flood DDoS attacks.

images from Hacker News