There is a new variant of the IoT/Linux botnet Mirai going after routers, storage devices, IP cameras to name a few.
Mirai, best known for being used in massive distributed denial of service (DDoS) attacks in 2016 against some notable targets like web hosting provider OVH and DNS provider Dyn.
This new variant, discovered by Palo Alto Networks’ Unit 42, is targeting embedded devices like routers, network storage devices, NVRs, and IP cameras and using numerous exploits against them.
“The new variant targets WePresent WiPG-1000 Wireless Presentation systems, and in LG Supersign TVs,” Unit 42 researcher Ruchna Nigam said in a post. “Both these devices are intended for use by businesses. This development indicates to us a potential shift to using Mirai to target enterprises. The previous instance where we observed the botnet targeting enterprise vulnerabilities was with the incorporation of exploits against Apache Struts and SonicWall.”
In addition, the variant includes new exploits, as well as the power to use brute force against devices if need be.
It turns out the malicious payload was hosted at a compromised website in Colombia: An “electronic security, integration and alarm monitoring” business, Nigam said.
“These new features afford the botnet a large attack surface,” Nigam said. “In particular, targeting enterprise links also grants it access to larger bandwidth, ultimately resulting in greater firepower for the botnet for DDoS attacks.”
It goes without saying, but enterprises need to stay on top of IoT devices on their network, change default passwords, ensure devices are fully up-to-date on patches. And in the case of devices that cannot be patched, remove them from the network.
This latest sample of this new variant contains 27 exploits, of which are 11 new to Mirai.
Aside from the incorporation of unusual exploits, Unit 42 found the variant had some other differentiating features:
• It makes use of the same encryption scheme as is characteristic of Mirai with a table key of 0xbeafdead
• When decrypting strings using this key, they found certain unusual default credentials for brute force not seen before:
• It uses the domain epicrustserver[.]cf at port 3933 is for C2 communication
• In addition to scanning for other vulnerable devices, the new version can be commanded to send out HTTP Flood DDoS attacks
“IoT/Linux botnets continue to expand their attack surface, either by the incorporation of multiple exploits targeting a plethora of devices, or by adding to the list of default credentials they brute force, or both,” Nigam said. “In addition, targeting enterprise vulnerabilities allows them access to links with potentially larger bandwidth than consumer device links, affording them greater firepower for DDoS attacks.”