Firewalls, Routers, Patch/Configuration Management

IZ1H9 Mirai campaign launches DDoS attacks on Linux-based routers

Network cables

The Mirai-based IZ1H9 campaign has been observed aggressively executing distributed denial-of-service (DDoS) attacks with 13 payloads on Linux-based routers and other Internet of Things (IoT) devices from leading vendors such as D-Link, Netis and Zyxel.

In a blog post Oct. 9, Fortinet’s FortiGuard Labs said what amplifies the impact of the IZ1H9 campaign are the rapid updates to the vulnerabilities it exploits. The attackers were able to infect vulnerable devices and dramatically expand its botnet through the use of recently released exploit code, which encompasses numerous critical CVEs.

The researchers said once an attacker gains control of a vulnerable device, they can incorporate these newly compromised devices into their botnet, which lets them launch further DDoS and brute-force attacks. FortiGuard strongly recommends that organizations promptly apply patches when available and always change default login credentials for devices.

“IoT devices have long been an attractive target for threat actors, with remote code execution attacks posing the most common and concerning threats to both IoT devices and Linux servers,” wrote the FortiGuard researchers. “The exposure of vulnerable devices can result in severe security risks. Despite the availability of patches for these vulnerabilities, the number of exploit triggers remains alarmingly high, often numbering in the thousands.”

There has been an explosion of exploitable vulnerabilities on IoT devices because there are more variables to test for than in traditional IT systems, said John Gallagher, vice president of Viakoo Labs. Gallagher said the lack of standard operating systems in IoT devices means that a vulnerability already mitigated in Windows or Linux might not have been in the unique operating system used in an IoT device, such as a router. 

“Whether remote offices, home offices, warehouses or factory floors, many organizations have powerful network-connected devices that are found outside the direct management of IT,” explained Gallagher.  “Almost all organizations have security policies — the question is whether they are enforced or have specific exemptions granted. The use of an agentless asset discovery solution, as well as application-based discovery, can provide a starting point for securing your asset inventory, and identifying at an application level the most critical systems.”

Timothy Morris, chief security advisor at Tanium, added that it’s important users install the updates provided by the vendors.

“From what I can tell, most of these devices would be in homes and small businesses, meaning that they are most likely unmanaged, hence, an easy target to grow the Mirai botnet,” said Morris. “What I've gathered is exploits will install a payload that contains a shell script. Logs are deleted and the configuration of the devices are altered by modifying iptables to obscure the attackers’ activities and enable communications to those devices.”

John Bambenek, principal threat hunter at Netenrich, said at a time of great geopolitical unrest, increased DDoS attacks are likely.

“With these changes, more vulnerable devices are out there and it's purely a math game,” said Bambenek. “More nodes in the botnet mean more attacks and more outages.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.