Security Experts:

Connect with us

Hi, what are you looking for?


IoT Security

New Mirai Variant Targets Enterprise IoT Devices

A recently discovered variant of the infamous Mirai botnet is targeting devices specifically intended for businesses, potentially signaling a focus toward enterprise. 

A recently discovered variant of the infamous Mirai botnet is targeting devices specifically intended for businesses, potentially signaling a focus toward enterprise. 

Best known for the massive attacks on OVH and Dyn in late 2016, Mirai is a Linux malware targeting Internet of Things (IoT) devices in an attempt to ensnare them into botnets capable of launching distributed denial of service (DDoS) attacks. 

Numerous variants of the malware have emerged ever since Mirai’s source code leaked in October 2016, including Wicked, Satori, Okiru, Masuta, and others. One variant observed last year was leveraging an open-source project to become cross-platform and target multiple architectures, including ARM, MIPS, PowerPC, and x86.

The newly discovered variant of the botnet targets embedded devices such as routers, network storage devices, NVRs, and IP cameras and leverages various exploits in an attempt to compromise them, Palo Alto Networks’ security researchers have discovered. 

The malware was observed attempting to ensnare WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs, two devices intended for use within business environments. 

“This development indicates to us a potential shift to using Mirai to target enterprises. The previous instance where we observed the botnet targeting enterprise vulnerabilities was with the incorporation of exploits against Apache Struts and SonicWall,” Palo Alto Networks notes

The new threat, the researchers say, also includes some additional exploits in its arsenal. Of the 27 exploits contained within the malware, 11 are new to Mirai, and it can leverage a new set of credentials when attempting to brute force devices. 

“These developments underscore the importance for enterprises to be aware of the IoT devices on their network, change default passwords, ensure that devices are fully up-to-date on patches. And in the case of devices that cannot be patched, to remove those devices from the network as a last resort,” Palo Alto Networks says. 

The new threat uses the same encryption scheme characteristic of Mirai, which allowed the researchers to uncover some of the new default credentials that it targets. The malware can scan for vulnerable devices and also includes the ability to launch HTTP Flood DDoS attacks.

The shell script payload is hosted at the compromised website for an “Electronic security, integration and alarm monitoring” business in Colombia. 

The researchers discovered that samples fetching the same payload were hosted at the same IP that had been hosting some Gafgyt samples only a few days before, and that these featured the same name as the binaries fetched by the shell script. 

“IoT/Linux botnets continue to expand their attack surface, either by the incorporation of multiple exploits targeting a plethora of devices, or by adding to the list of default credentials they brute force, or both. In addition, targeting enterprise vulnerabilities allows them access to links with potentially larger bandwidth than consumer device links, affording them greater firepower for DDoS attacks,” Palo Alto Networks concludes. 

Related: Mirai Author Gets House Arrest for DDoS Attacks on University

Related: Mirai Authors Avoid Prison After Working With FBI

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

IoT Security

Vulnerabilities in electric vehicle charging management systems can be exploited for DoS attacks and to steal energy or sensitive information.

IoT Security

Today’s growing attack surface is dominated by non-traditional endpoints.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

IoT Security

Australia's Defense Department said that they will remove surveillance cameras made by Chinese Communist Party-linked companies from its buildings.

IoT Security

Chinese video surveillance company Hikvision has patched a critical vulnerability in some of its wireless bridge products. The flaw can lead to remote CCTV...