Researchers warn businesses to be vigilant as notorious IoT botnet looks to take over enterprise devices
Researchers have uncovered a new version of Mirai, the internet-of-things botnet notorious for taking down a number of major sites in 2016, with features that target enterprise networks.
Palo Alto Networks’ Unit 42 said the new variant surfaced in early January, with the addition of attack capabilities aimed at WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs, both of which are intended for business use.
To date, MIrai has targeted household devices such as routers, network storage devices, IP cameras and network video recorders, with exploits against enterprise software or devices remaining rare.
“This development indicates to us a potential shift to using Mirai to target enterprises,” Unit 42 said in an advisory.
The firm noted it had previously seen Mirai incorporating exploits against Apache Struts and SonicWall security appliances, both of which are also used by businesses.
Like other botnets, Mirai gains access to devices in order to use their computing power and bandwidth to launch denial-of-service attacks on other services.
Mirai was, however, the first to become known for relying on internet-of-things connected devices, which helped power a 2016 attack on DNS provider Dyn that took down access to a number of major websites.
The new Mirai variant includes a number of new exploits and new credentials for use in gaining brute-force access to devices, Unit 42 said.
Its malicious payload is hosted at a compromised website for a business in Colombia that, ironically, sells electronic security, integration and alarm monitoring services.
The new features give Mirai a larger attack surface, and focusing on enterprises could give it access to more bandwidth, resulting in more firepower for denial-of-service attacks, Unit 42 said.
“These developments underscore the importance for enterprises to be aware of the IoT devices on their network, change default passwords, ensure that devices are fully up-to-date on patches,” the company said.
The new variant uses a total of 27 exploits, 11 of which are new to Mirai, although in some cases they have been previously available on the internet.
It also includes new default device credentials, some of which Unit 42 said hadn’t previously been seen.
The new Mirai can scan for other vulnerable devices, as well as launching HTTP Flood and DDoS attacks, Unit 42 said.
Security researcher Troy Mursch of Bad Packets said earlier this week the firm had seen a steady rise in Mirai activity since early January, around the time that Palo Alto Networks discovered the new variant.
Mursch said on Twitter he had seen the “largest spike of activity… in the last two weeks”, indicating attackers’ renewed interest in the botnet.