New Mirai Variant Targets Enterprise Networks

Researchers have uncovered a new version of Mirai, the internet-of-things botnet notorious for taking down a number of major sites in 2016, with features that  target enterprise networks.

Palo Alto Networks’ Unit 42 said the new variant surfaced in early January, with the addition of attack capabilities aimed at WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs, both of which are intended for business use.

To date, MIrai has targeted household devices such as routers, network storage devices, IP cameras and network video recorders, with exploits against enterprise software or devices remaining rare.

“This development indicates to us a potential shift to using Mirai to target enterprises,” Unit 42 said in an advisory.

Enterprise shift

The firm noted it had previously seen Mirai incorporating exploits against Apache Struts and SonicWall security appliances, both of which are also used by businesses.

Like other botnets, Mirai gains access to devices in order to use their computing power and bandwidth to launch denial-of-service attacks on other services.

Mirai was, however, the first to become known for relying on internet-of-things connected devices, which helped power a 2016 attack on DNS provider Dyn that took down access to a number of major websites.

The new Mirai variant includes a number of new exploits and new credentials for use in gaining brute-force access to devices, Unit 42 said.

Its malicious payload is hosted at a compromised website for a business in Colombia that, ironically, sells electronic security, integration and alarm monitoring services.

The new features give Mirai a larger attack surface, and focusing on enterprises could give it access to more bandwidth, resulting in more firepower for denial-of-service attacks, Unit 42 said.

“These developments underscore the importance for enterprises to be aware of the IoT devices on their network, change default passwords, ensure that devices are fully up-to-date on patches,” the company said.

New exploits

The new variant uses a total of 27 exploits, 11 of which are new to Mirai, although in some cases they have been previously available on the internet.

It also includes new default device credentials, some of which Unit 42 said hadn’t previously been seen.

The new Mirai can scan for other vulnerable devices, as well as launching HTTP Flood and DDoS attacks, Unit 42 said.

Security researcher Troy Mursch of Bad Packets said earlier this week the firm had seen a steady rise in Mirai activity since early January, around the time that Palo Alto Networks discovered the new variant.

Mursch said on Twitter he had seen the “largest spike of activity… in the last two weeks”, indicating attackers’ renewed interest in the botnet.

In recent months Mirai has been linked to illicit Bitcoin mining and a 54-hour-long attack on a US university.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Boeing Starliner Launches Successfully, On Route To International Space Station

Boeing's crewless space taxi, CST-100 Starliner, one step closer to NASA certification, as it enters…

2 days ago

Apple Accused By Union Of Staff Law Violations At NY Store

Staff at Apple's World Trade Centre store in New York are allegedly being questioned and…

2 days ago

Canada To Join Five Eyes 5G Ban On Huawei/ZTE

Making it official. Canada is to turn its unofficial ban on 5G kit from Huawei…

2 days ago

Twitter To Hide Tweets That Share False Information During A Crisis

Potentially risking Elon's wrath over free speech, Twitter says it will hide tweets spreading misinformation…

3 days ago

Boeing Starliner Test Flight Readied For Tonight

Third time the charm? Main rival to SpaceX's Dragon capsule, the embattled Boeing Starliner spacecraft,…

3 days ago

September 13 Slated For iPhone 14 Launch – Report

No surprise there. Apple is slated to launch the iPhone 14 on 13 September according…

3 days ago