Security Architecture, Endpoint/Device Security, IoT, Threat Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Mirai variant adds 11 news exploits, shifting focus to enterprise IoT devices

Developers behind a newly discovered variant of the Mirai Internet of Things botnet malware have expanded their target list, placing a greater emphasis on high-bandwidth enterprise devices that are potentially capable of launching heavy-duty distributed denial of service attacks.

Detected by the Palo Alto Networks Unit 42 threat research team, the botnet still attempts to infect consumer devices like its predecessors, but the move toward enterprise IoT devices could augur future DDoS assaults that rival or surpass previous Mirai attacks like the one that disrupted the operations of Domain Name System provider Dyn in 2016.

The new malware variant, which has no nickname, includes 27 exploits 11 of which have never been seen before in a Mirai variant along with new credentials for brute forcing devices. Among the new additions are exploits for the WePresent WiPG-1000 Wireless Presentation System and the LG Supersign TVs digital signage solution, both of which are typically used by businesses. "This development indicates to us a potential shift to using Mirai to target enterprises" for compromise, according to a March 18 blog post penned by researcher Ruchna Nigam.

The last time Unit 42 noticed a similar trend was in September 2018, when company researchers reported that variants of Mirai and fellow IoT botnet Gafgyt (aka Bashlite) were respectively exploiting vulnerabilities in the Apache Struts open-source web application framework and SonicWall's Global Management System.

The nine other new Mirai exploits target video cameras and routers from D-Link; routers from Zyxel; and, modems, routers, wireless access points and wireless controllers from Netgear.

"These new features afford the botnet a large attack surface. In particular, targeting enterprise links also grants it access to larger bandwidth, ultimately resulting in greater firepower for the botnet for DDoS attacks," Nigam wrote in the blog post, adding that the variant can also be commanded to sent out HTTP Flood DDoS attacks that bombard web servers or applications with HTTP GET or POST requests.

Researchers found the malicious payload hosted on a compromised website advertising a Colombian electronic security integration and alarm monitoring business. Further revealed additional samples hosted at a different IP address that also harbored some instances of Gafgyt.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.