Security researchers from Palo Alto Networks have discovered a new variant of the Mirai IoT botnet. This variant targets enterprise Wireless presentation & display systems, with the goal of controlling larger bandwidth and implementing DDoS attacks.
Mirai first appeared in 2016. Mirai is a well-known IoT botnet malware that infects routers, security cameras, DVRs and other smart devices, often using zombies that use the default credentials and run outdated versions of Linux and damaged devices. Although the original creators of the Mirai botnet have been arrested and imprisoned, since 2016, the source code has spread on the Internet, resulting in the emergence of variants of the Internet of Things malware such as Satori and Okiru. Researchers at Palo Alto Network Unit 42 discovered the latest version of Mirai, the first time Mirai has targeted enterprise devices, including the latest versions of the WePresent WiPG-1000 Wireless Presentation systems, and in LG Supersign TVs.
Palo Alto wrote, “this latest sample contains a total of 27 exploits, of which are 11 new to Mirai.” According to Unit 42 researchers, these new features provide a huge attack surface for botnets, targeting companies to get more bandwidth, and ultimately providing botnets with more power for DDoS attacks. The new Mirai variant is also targeted at a variety of embedded hardware such as Linksys routers, ZTE routers, DLink routers, network storage devices, NVRs, and IP cameras.
After scanning and identifying the vulnerable device, the malware obtains the new Mirai payload from an attacked website, downloads it to the target device, and then adds it to the botnet, which can then be used to initiate an HTTP Flood attack. Researchers say the new variants highlight the need for companies to understand IoT devices on their networks, change default passwords, and ensure that device patches are fully updated. For devices that cannot be patched, they should be removed from the network.