Since it first wreaked havoc in 2016 by taking down a major DNS provider, Mirai malware has branched out into more than 60 known variants and taken aim at the enterprise.
IBM X-Force researchers have noted a sharp uptick in Mirai activity, with a spike starting in November 2018, and a doubling between the first quarter of 2018 and the first quarter of 2019, according to a blog post.
Researchers say these new variants have the potential to impact cloud servers and heavily compromise information and insurance services and more. As a result, connected devices at the enterprise level including medical devices, utility company meters, robots tracking warehouse inventory, and other devices are at risk.
Devices connected to the cloud could allow Mirai adversaries to gain access to cloud servers, infect a server with additional malware dropped by Mirai, or expose all IoT devices connected to the server to further compromise.
“Historically, simpler internet of things (IoT) devices such as routers and CCTV cameras were most affected, but recent IBM X-Force data indicates that threat actors are increasingly targeting enterprise devices,” researchers wrote in the post. “The attack landscape has been saturated with attacks against IoT devices since the Mirai botnet was discovered back in 2016.”
The number of connected devices is expected to grow by 31 billion in 2020 and the IoT market is on pace to reach 3 trillion by 2026 all while Mirai attacks have progressively increased since 2018.
Researchers warn the threat has gone beyond consumer products and that network defenders should begin taking measures to protect their IoT devices which may be exploited by Mirai.
Different payloads allow the malware to target a wider set of victims and hardware, an increase in Mirai-like botnets are aiming to infect ever more prevalent IoT devices, and newly detected Mirai-like samples have been compiled to attack new processors and architectures.
The botnet also poses a threat since IoT devices can be leveraged as cryptominers, threat actors are developing more creative ways to deliver payloads, and new vulnerabilities allow threat actors to frequently update exploits while slow patch implementation allows attackers to exploit these unpatched vulnerabilities.
In order to properly defend against current and future Miria-like threats, researchers recommend users conduct inventory on all IoT assets on a regular basis, ensure these devices are serving legitimate purposes, ensure devices are compliant, ensure devices are password protected using strong credentials, and restrict internet access to IoT devices by placing them behind firewalls and other network defenses.
In addition, enterprises should monitor for unexpected outbound Wget or PowerShell requests that may be attempting to pull malicious payloads, ensure IoT device interactions are encrypted, use threat intelligence to monitor trends, and restrict outbound activity for IoT devices that don’t require external access.