A recently discovered variant of the infamous Mirai botnet is targeting devices specifically intended for businesses, potentially signaling a focus toward enterprise.
Best known for the massive attacks on OVH and Dyn in late 2016, Mirai is a Linux malware targeting Internet of Things (IoT) devices in an attempt to ensnare them into botnets capable of launching distributed denial of service (DDoS) attacks.
Numerous variants of the malware have emerged ever since Mirai’s source code leaked in October 2016, including Wicked, Satori, Okiru, Masuta, and others. One variant observed last year was leveraging an open-source project to become cross-platform and target multiple architectures, including ARM, MIPS, PowerPC, and x86.
The newly discovered variant of the botnet targets embedded devices such as routers, network storage devices, NVRs, and IP cameras and leverages various exploits in an attempt to compromise them, Palo Alto Networks’ security researchers have discovered.
The malware was observed attempting to ensnare WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs, two devices intended for use within business environments.
“This development indicates to us a potential shift to using Mirai to target enterprises. The previous instance where we observed the botnet targeting enterprise vulnerabilities was with the incorporation of exploits against Apache Struts and SonicWall,” Palo Alto Networks notes.
The new threat, the researchers say, also includes some additional exploits in its arsenal. Of the 27 exploits contained within the malware, 11 are new to Mirai, and it can leverage a new set of credentials when attempting to brute force devices.
“These developments underscore the importance for enterprises to be aware of the IoT devices on their network, change default passwords, ensure that devices are fully up-to-date on patches. And in the case of devices that cannot be patched, to remove those devices from the network as a last resort,” Palo Alto Networks says.
The new threat uses the same encryption scheme characteristic of Mirai, which allowed the researchers to uncover some of the new default credentials that it targets. The malware can scan for vulnerable devices and also includes the ability to launch HTTP Flood DDoS attacks.
The shell script payload is hosted at the compromised website for an “Electronic security, integration and alarm monitoring” business in Colombia.
The researchers discovered that samples fetching the same payload were hosted at the same IP that had been hosting some Gafgyt samples only a few days before, and that these featured the same name as the binaries fetched by the shell script.
“IoT/Linux botnets continue to expand their attack surface, either by the incorporation of multiple exploits targeting a plethora of devices, or by adding to the list of default credentials they brute force, or both. In addition, targeting enterprise vulnerabilities allows them access to links with potentially larger bandwidth than consumer device links, affording them greater firepower for DDoS attacks,” Palo Alto Networks concludes.
Related: Mirai Author Gets House Arrest for DDoS Attacks on University