New Mirai Variant Targets Enterprise Networks

Researchers have uncovered a new version of Mirai, the internet-of-things botnet notorious for taking down a number of major sites in 2016, with features that  target enterprise networks.

Palo Alto Networks’ Unit 42 said the new variant surfaced in early January, with the addition of attack capabilities aimed at WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs, both of which are intended for business use.

To date, MIrai has targeted household devices such as routers, network storage devices, IP cameras and network video recorders, with exploits against enterprise software or devices remaining rare.

“This development indicates to us a potential shift to using Mirai to target enterprises,” Unit 42 said in an advisory.

Enterprise shift

The firm noted it had previously seen Mirai incorporating exploits against Apache Struts and SonicWall security appliances, both of which are also used by businesses.

Like other botnets, Mirai gains access to devices in order to use their computing power and bandwidth to launch denial-of-service attacks on other services.

Mirai was, however, the first to become known for relying on internet-of-things connected devices, which helped power a 2016 attack on DNS provider Dyn that took down access to a number of major websites.

The new Mirai variant includes a number of new exploits and new credentials for use in gaining brute-force access to devices, Unit 42 said.

Its malicious payload is hosted at a compromised website for a business in Colombia that, ironically, sells electronic security, integration and alarm monitoring services.

The new features give Mirai a larger attack surface, and focusing on enterprises could give it access to more bandwidth, resulting in more firepower for denial-of-service attacks, Unit 42 said.

“These developments underscore the importance for enterprises to be aware of the IoT devices on their network, change default passwords, ensure that devices are fully up-to-date on patches,” the company said.

New exploits

The new variant uses a total of 27 exploits, 11 of which are new to Mirai, although in some cases they have been previously available on the internet.

It also includes new default device credentials, some of which Unit 42 said hadn’t previously been seen.

The new Mirai can scan for other vulnerable devices, as well as launching HTTP Flood and DDoS attacks, Unit 42 said.

Security researcher Troy Mursch of Bad Packets said earlier this week the firm had seen a steady rise in Mirai activity since early January, around the time that Palo Alto Networks discovered the new variant.

Mursch said on Twitter he had seen the “largest spike of activity… in the last two weeks”, indicating attackers’ renewed interest in the botnet.

In recent months Mirai has been linked to illicit Bitcoin mining and a 54-hour-long attack on a US university.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago