A new variant of the Mirai malware, responsible for creating a vast IoT botnet, has been spotted in the wild, incorporating a brand new array of 11 exploits. In addition, the new variant of Mirai includes new credentials to use in brute force attacks against devices.
The variant appears to be targeting different embedded devices like routers, network storage devices, NVRs, IP cameras, and in particular popular enterprise devices such as WePresent WiPG-1000 Wireless Presentation systems, and LG Supersign TVs.
The discovery, reported by security researchers Unit 42, indicates a worrying shift in strategy towards targeting enterprise rather than previous iterations of Mirai, that aimed to compromise everyday IoT devices.
"These new features afford the botnet a large attack surface. In particular, targeting enterprise links also grants it access to larger bandwidth, ultimately resulting in greater firepower for the botnet for DDoS attacks", noted the researchers.
Chris Doman, security researcher at AT&T Cybersecurity told SC Media UK: "Whenever we look at new IoT malware - it's almost inevitably a new Mirai variant. Every day we see new Mirai variants with different payloads - it seems like someone has made a major upgrade in terms of exploits though."
However, David Kennefick, product architect at Edgescan told SC Media UK that poor design and default credentials are the main loopholes Mirai is exploiting: "Mirai was one of the first truly scalable botnets and enabled attacks that broke all previous records. It preys on poor device design, with the default credentials being the first attack vector that is used. Mirai has no need to veer from a design that has been successful, so the only approach to combating this malicious actor is to implement security earlier in the device design process and stop using poor default credentials on devices that are designed to be internet facing."
Although the additional exploits (a full list can be found here) are new to Mirai, many are not particularly new to security researchers - the remote code execution exploit for LG Supersign TVs (CVE-2018-17173) was made public in September last year, but the command-injection vulnerability in the WePresent WiPG-1000 was published on Metasploit in 2017.
Jarno Niemela, principal researcher at F-Secure agreed, telling SC Media UK that: "While the variant of Mirai may be new, the methods it uses are ancient. This new Mirai is a perfect example why every organisation needs to map their own networks from an external point of view and close off everything that is open and does not need to be. The types of new devices that Mirai attacks have no business of being visible to the Internet."
Lane Thames, senior security researcher at Tripwire, went further to point out that the discovery throws a wider light on security industry practices: "The fact is, that we in the computing industry still have a long way to go in terms of maturing our secure development practices. Particularly, the two vulnerabilities affecting WePresent and the Supersign TV are trivial to exploit, but, more concerning, is that they are trivial to prevent.
"These two vulnerabilities are a classic case of a web application not sanitising user input (input that a user/attacker can control when interacting with the web application). These two vulnerabilities are very basic and easily addressed with modern development frameworks. Further, organisations developing web-based products should have mechanisms in place to catch such low hanging "fruit" as this during their development and QA processes. Don’t get me wrong, developing secure software is hard, and there is no such thing as perfect security. But we should have graduated beyond this level by now!"
Mirai is best known for being used for a series of record breaking DDoS attacks in 2016, including on web hosting provider OVH and DNS provider Dyn. One of the developers was recently ordered to pay out £5 million in damages by the US Federal court.
Israel Barak, CISO at Cybereason had some sage advice for enterprises concerned about botnets in general: "These botnets are not necessarily sophisticated. They take over machines that don't have tight security. There is no way of hiding from these botnets. If you have an IP address that is online, and security is an afterthought, your company is a target. This cascading effect can all take place in a matter of 1-2 days. The moment you put a vulnerable asset online, it's only a matter of time before you are victimised."