New Mirai malware targets enterprise IoT devices

Security researchers have discovered a new variant of the Mirai IoT malware that’s targeting enterprise-focused devices rather than vulnerable consumer IoT devices.

Palo Alto Network’s Unit 42 said that the new variant, which was discovered earlier this year, is targeting LG Supersigns TVs and WePresent WiPG-1000 Wireless Presentation systems, both of which are intended for business use.

Previously, Mirai had targeted infected household devices such as routers, network storage devices, IP cameras, and network video recorders.

Mirai malware

“This development indicates to us a potential shift to using Mirai to target enterprises,” Unit 42 said in an advisory on Monday (March.18th).

The firm said that the exploit had also ended up on smart TVs, smartphones, and on some enterprise Apache Struts and SonicWall security servers, both of which are used by businesses.

Just like other botnets, Mirai gains access to devices in order to use their computing power and bandwidth to carry out a denial-of-service attack against other services.

Mirai was, however, the first to become known for relying on internet-of-things connected devices, which helped power a 2016 DDoS attack against the popular DNS service Dyn and caused major outages to popular sites like Twitter, Sound Cloud, Spotify, and Shopify.

The new Mirai variant includes a number of new exploits and new credentials to use in brute force attacks against devices, Unit 42 said.

Its malicious payload was hosted at a compromised website for an organisation in Colombia that sells electronics, security, and alarm monitoring services.

“These new features afford the botnet a large attack surface. In particular, targeting enterprise links also grants it access to larger bandwidth, ultimately resulting in greater firepower for the botnet for DDoS attacks,” Unit 42 said.

“These developments underscore the importance for enterprises to be aware of the IoT devices on their network, change default passwords, and ensure that devices are fully up-to-date on patches,” the company added.

New exploits

Unit 42 researchers said the new variant contains a total of 27 exploits, of which 11 are new to Mirai.

The new variant also has unusual default credentials that the research firm haven’t come across until now.

In addition to scanning other vulnerable devices, the new variant can launch HTTP Flood and DDoS attacks, Unit 42 said.

Troy Mursch, an independent security researcher at Bad Packets, said on Twitter that the firm had seen a rise in Mirai activity since early January, around the same time that Palo Alto Networks found the new variant.

“Mirai-like detections continue an upward trend over the last 60 days. Largest spike of activity happened in the last two weeks,” Mursch tweeted.

Related Posts