- A fresh version of the Mirai botnet now targets even more devices that are deployed throughout enterprise environments.
- The exploitation additions mainly concern routers, smart TVs, and presentation systems.
- By targeting IoT devices, Mirai has better chances of avoiding detection and gaining access to larger network bandwidth.
According to a Unit42 report, there’s a new spin of the notorious Mirai botnet that targets IoT devices, IP cameras, routers, NVRs, and network storage systems. Among the various devices that the new Mirai looks to infect are the LG Supersign TVs and various wireless presentation systems. As businesses generally use these systems for internal presentation purposes, it looks like Mirai is intensifying its focus on targeting the enterprise. About two weeks ago, we reported about a new malware campaign targeting APAC Windows servers and delivering a fresh version of the Mirai botnet. With this new report, it looks like Mirai is extending its attack by incorporating additional capacity for exploitation of existing vulnerabilities.
Upon an in-deep analysis conducted by the Unit42 researchers, it became apparent that the new Mirai variant features the ability to exploit 27 vulnerabilities, which is 11 more compared to the previous version. However, the new variant doesn’t only come with more exploitation potential, but also new features as well. For example, the new Mirai can be ordered (by the new C2) to send out HTTP Flood DDoS attacks. Of course, the command and control server uses a new domain, the default brute force credentials have been refreshed, and the shell script payload is fetched by a newly compromised website (a Colombian business website).
By targeting a wider range of devices that are used by businesses, the new Mirai can potentially reach more systems in the enterprise environment, and enter a lane of larger internet bandwidth, essentially leading to easier propagation and a platform for more effective DDoS attacks. IoT devices like wireless screens and presentation systems are often left unpatched for extended periods of time, and in the case that they are exploited, it usually takes the admins a long time before they notice. That said, they act like the weakest link in the chain of security in enterprise environments right now, and they are otherwise connected with the corporate network at all times.
The list of devices that are vulnerable to the new Mirai variant are the following:
- LG Supersign TV
- WePresent WiPG-1000 Wireless Presentation systems
- DLink DCS-930L Network Video Cameras
- DLink DIR-645, DIR-815 Routers
- Zyxel P660HN-T routers
- Netgear WG102, WG103, WN604, WNDAP350, WNDAP360, WNAP320, WNAP210, WNDAP660, WNDAP620 devices
- Netgear DGN2200 N300 Wireless ADSL2+ Modem Routers
- Netgear Prosafe WC9500, WC7600, WC7520 Wireless Controllers
- Netgear ReadyNAS Surveillance 1.4.3-16 and NUUO NVRMini devices
- Linksys WAP54G Wireless Access Points
- Linksys WRT100, WRT110 consumer routers
- ZTE ZXV10 H108L Routers with <= V1.0.01_WIND_A01
- Linksys E1500/E2500 routers