A pair of Trend Micro research teams has detected and done a quick cyber-autopsy on a new Mirai-like attack that popped up in Mexico earlier this month targeting Gigabit Passive Optical Network (GPON) home routers and IP webcams.
The attacks, which ran from 8-10 May, sprang from 3,845 IP addresses located in Mexico and targeted routers and webcams using default passwords. Once the IoT device is entered the threat actors use CVE-2018-10561 or CVE-2018-10562 to inject malware that can enable remote code execution. Four variants of the malware are used targeted at different processor architectures ARM, ARMv7, MIPS and MIPS little-endian.
Trend Micro used the Autonomous System Numbers (ASN) of the corrupted IP devices to track their location. In this case, ASN 8151 was found, which belongs to the Mexican telecom Uninet, according to Neustar's ASN lookup tool. In addition, the WHOIS data from the IP addresses also indicated they are owned by the same Mexican firm.
Trend Micro's researchers reiterated the facts that attacks like this Mirai variant can be blocked or defeated through the simple expedients of changing the default login credentials and by making sure an IoT device is running the most up to date version of its software.
“We recommend that users change the credentials of their devices — preferably, passwords that include at least 15 characters with a mix of uppercase and lowercase letters, numbers, and special characters — as soon as possible,” they said.