A new strain of the Mirai IoT malware has been discovered following the publication of exploit code targeting networking equipment.
According to a blog post by Chinese IT security firm Qihoo 360 Netlab, researchers noticed an increase in traffic scanning ports 2323 and 23.
“We are quite confident to tell this is a new Mirai variant,” the researchers said.
Researchers spotted two new credentials admin/CentryL1nk and admin/QwestM0dem being actively used. The credential admin/CentryL1nk first appeared in an exploit about ZyXEL PK5001Z modem in exploit-db less than a month ago.
They added that the misuse of these two credentials began at around 11 am on 22 November, reaching a peak, a day later. Around 100,000 IPs were recorded scanning for exploitable devices using the credentials, mostly from Argentina, as a source of 65,700.
“This leaves us wondering if it is an attack focus on several specific types of IoT device, as these devices are widely deployed in Argentina, just as happened at last year's Telekom event,” said researchers.
Bogdan Botezatu, senior e-threat analyst at Bitdefender, told SC Media UK that Mirai went open source in October 2016.
“Its original code has served as an inspiration to other cyber-criminals, so, currently, there are tens or even hundreds of variations of the Mirai bot attacking IoT devices. We are aware of at least 10 major botnets derived from Mirai. By major, I mean 10 K bots and up. New versions come and go, as hackers have easy access to both the bot's source code and to devices to infect,” he said.
“We presume that the uptick in attacks originating from Argentina is closely related to the publication of a proof-of-concept attack against the old ZyXEL PK5001Z routers that have been shipped with hardcoded credentials for the Telnet service. In terms of functionality, nothing has changed much, Mirai is still a basic bot with DDoS capabilities, but the recently posted credentials have helped operators seize significantly more vulnerable devices than they usually do,” he added.
Chris Doman, security researcher at AlienVault, told SC Media UK that the distribution servers seem to have been taken down today (Monday 27th), however given this is a worm the damage will likely already have been done in the preceding days.
“Whilst hard-coded credentials can make management easier for ISPs, it's inevitable that using the same credentials on every router like this will lead to security failure of some kind,” he added.
Ken Munro, partner in Pen Test Partners, told SC Media UK that the TCP/2323 vector is interesting and “smacks of the telnet port obfuscation used by the Lilin DVR (TCP/12323).”
“Routers shouldn't be running telnet or any other service exposed to the Internet. TR-069 and similar exist for remote configuration and diagnostics and this can be IP filtered by the device so that arbitrary people can't connect. It is also trivially easy to find out these passwords as weaknesses in the supply chain see them published online,” he added.
Christopher Littlejohns, EMEA manager at Synopsys, told SC Media UK that the ZyXEL PK5001Z Modem is yet another device with hard-coded credentials that is deployed in enough numbers to be worthy of interest to enable potential future DoS attacks.
“What is perhaps more worrying is that the target is a router, therefore all internet and network traffic within a house or small business is likely to pass through it. This potentially makes the target all the more valuable to the attacker as it may facilitate more sophisticated credential stealing attacks that can be monetised,” he said.
