According to a Unit42 report, there’s a new spin of the notorious Mirai botnet that targets IoT devices, IP cameras, routers, NVRs, and network storage systems. Among the various devices that the new Mirai looks to infect are the LG Supersign TVs and various wireless presentation systems. As businesses generally use these systems for internal presentation purposes, it looks like Mirai is intensifying its focus on targeting the enterprise. About two weeks ago, we reported about a new malware campaign targeting APAC Windows servers and delivering a fresh version of the Mirai botnet. With this new report, it looks like Mirai is extending its attack by incorporating additional capacity for exploitation of existing vulnerabilities.
Upon an in-deep analysis conducted by the Unit42 researchers, it became apparent that the new Mirai variant features the ability to exploit 27 vulnerabilities, which is 11 more compared to the previous version. However, the new variant doesn’t only come with more exploitation potential, but also new features as well. For example, the new Mirai can be ordered (by the new C2) to send out HTTP Flood DDoS attacks. Of course, the command and control server uses a new domain, the default brute force credentials have been refreshed, and the shell script payload is fetched by a newly compromised website (a Colombian business website).
By targeting a wider range of devices that are used by businesses, the new Mirai can potentially reach more systems in the enterprise environment, and enter a lane of larger internet bandwidth, essentially leading to easier propagation and a platform for more effective DDoS attacks. IoT devices like wireless screens and presentation systems are often left unpatched for extended periods of time, and in the case that they are exploited, it usually takes the admins a long time before they notice. That said, they act like the weakest link in the chain of security in enterprise environments right now, and they are otherwise connected with the corporate network at all times.
The list of devices that are vulnerable to the new Mirai variant are the following: