Another variant of the Mirai botnet was used to attack at least three financial institutions earlier this year using a variety of compromised consumer and enterprise-level IoT products.
Recorded Future's research team Insikt Group reported that between 27 January - 28 January the Mirai variant IoTroop (aka Reaper Bot) -- first seen in the wild in October 2017 -- was used to round up an assault force of 13,000 devices that unleashed a 30Gbps distributed denial of service attack on three separate targets. Insikt did not detail the damage done to the trio of targets.
“This is the first time we have observed an IoT botnet being used in a DDoS since Mirai, and it may be the first time IoTroop has been used to target victims since it was initially identified last year,” the report stated.
The researchers noted that the third company involved did not experience malicious data volumes at the same level as the previous victims, but they are concluding that the close temporal proximity of the attacks suggests a possible connection.
IoTroop primarily uses routers, TVs, DVRs and IP cameras from major vendors including MikroTik, Ubiquity and GoAhead, and in this attack 80 percent of the devices used were MikroTik routers with an open port 2000. The other 20 percent was composed of various IoT devices ranging from vulnerable Apache and IIS web servers to routers from various manufacturers. The majority of the enslaved devices were from Russia, followed by Brazil and Ukraine. Overall, 139 countries unknowingly contributed IoT devices to the attack.
“This distribution differed from the original Mirai botnet," Insikt reported, noting that Brazil was the only country that appeared in the top five botnet client lists for both botnets.”
Insikt listed, for tracking purposes, a series of IP addresses it found to be closely associated with the attacks and possibly used as botnet controllers: 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11 and 18.104.22.168.