New Mirai Variant Targets Enterprise Networks

Researchers have uncovered a new version of Mirai, the internet-of-things botnet notorious for taking down a number of major sites in 2016, with features that  target enterprise networks.

Palo Alto Networks’ Unit 42 said the new variant surfaced in early January, with the addition of attack capabilities aimed at WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs, both of which are intended for business use.

To date, MIrai has targeted household devices such as routers, network storage devices, IP cameras and network video recorders, with exploits against enterprise software or devices remaining rare.

“This development indicates to us a potential shift to using Mirai to target enterprises,” Unit 42 said in an advisory.

Enterprise shift

The firm noted it had previously seen Mirai incorporating exploits against Apache Struts and SonicWall security appliances, both of which are also used by businesses.

Like other botnets, Mirai gains access to devices in order to use their computing power and bandwidth to launch denial-of-service attacks on other services.

Mirai was, however, the first to become known for relying on internet-of-things connected devices, which helped power a 2016 attack on DNS provider Dyn that took down access to a number of major websites.

The new Mirai variant includes a number of new exploits and new credentials for use in gaining brute-force access to devices, Unit 42 said.

Its malicious payload is hosted at a compromised website for a business in Colombia that, ironically, sells electronic security, integration and alarm monitoring services.

The new features give Mirai a larger attack surface, and focusing on enterprises could give it access to more bandwidth, resulting in more firepower for denial-of-service attacks, Unit 42 said.

“These developments underscore the importance for enterprises to be aware of the IoT devices on their network, change default passwords, ensure that devices are fully up-to-date on patches,” the company said.

New exploits

The new variant uses a total of 27 exploits, 11 of which are new to Mirai, although in some cases they have been previously available on the internet.

It also includes new default device credentials, some of which Unit 42 said hadn’t previously been seen.

The new Mirai can scan for other vulnerable devices, as well as launching HTTP Flood and DDoS attacks, Unit 42 said.

Security researcher Troy Mursch of Bad Packets said earlier this week the firm had seen a steady rise in Mirai activity since early January, around the time that Palo Alto Networks discovered the new variant.

Mursch said on Twitter he had seen the “largest spike of activity… in the last two weeks”, indicating attackers’ renewed interest in the botnet.

In recent months Mirai has been linked to illicit Bitcoin mining and a 54-hour-long attack on a US university.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

6 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

9 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

10 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

11 hours ago