Mirai Botnet Code Gets Exploit RefreshUsers of Mirai Likely Seek Enterprise-Class Bandwidth, Says Palo Alto Networks
Mirai, the powerful malware that unleashed unprecedented distributed denial-of-service attacks in 2016, has never gone away. And now a new version has been equipped with fresh exploits that suggest its operators want to harness the bandwidth offered by big businesses.
Palo Alto Networks says it found 11 new exploits in a Mirai variant along with unusual new combinations of default credentials that can be used to log into devices. Some of the new exploits target internet of things equipment likely to only be used by enterprises.
"These new features afford the botnet a large attack surface," writes Ruchna Nigam, a senior threat researcher with Palo Alto's Unit 42 research group. "In particular, targeting enterprise links also grants it access to larger bandwidth, ultimately resulting in greater firepower for the botnet for DDoS attacks."
Mirai caused huge problems in a string of attacks starting around September 2016. The blog of security writer Brian Krebs was hit with an attack exceeding 600 Gbps. Later, Mirai struck French hosting provider OVH, internet services provider Dyn and Deutsche Telekom (see: Mirai Botnet Knocks Out Deutsche Telekom Routers).
Mirai's power came from hundreds of thousands of IoT devices that still used default login credentials or were otherwise vulnerable. It was coded as a worm, so once it infected a device, it searched for others. Three of Mirai's co-authors were convicted and sentenced, but the code has long been available and remains available for others to modify (see: Mirai Co-Author Gets House Arrest, $8.6 Million Fine).
And others have continued to borrow from the code, which has turned up in multiple strains of newer malware, including Chalubo. Researchers have also found numerous IoT botnets attempting to exploit devices using the 64 username and password combinations hardcoded into Mirai source code, as well as more than 1,000 new such combinations (see: Botnets Keep Brute-Forcing Internet of Things Devices).
Novel Exploits Used
In the latest version of Mirai, meanwhile, Palo Alto's Nigam says researchers found two unexpected exploits: one for the WePresent WiPG-1000 Wireless Presentation system and another for a content management system developed by LG to manage screen-based signage. Neither of the exploits had been seen in the wild before. Both types of software are most likely to be used by businesses.
"In particular, targeting enterprise links also grants it access to larger bandwidth, ultimately resulting in greater firepower for the botnet for DDoS attacks," Nigam writes.
The exploit for LG targets a vulnerability (CVE-2018-17173) in its LG SuperSign EZ CMS 2.5, which ships as part of LG's WebOS operating system in smart TVs. The vulnerability was disclosed in September 2018.
The exploit in WePresent attacks a command injection vulnerability. The vulnerability was contained within several versions of software in WePresent WiPG-1000 devices, which are wireless routers designed for screen sharing. Barco, the device's developer, has patched the vulnerability.
Palo Alto uncovered other exploits that hadn't been seen before in the wild in this new variant of Mirai, including for D-Link, Zyxel and NetGear routers. It also contains exploits that were in previous versions of Mirai, making for a grand total of 27 exploits targeted.
Older versions of Mirai had also incorporated some relatively exotic exploits, including for SonicWall's Global Management System (CVE-2018-9866) as well as the Apache Struts flaw (CVE-2017-5638), which was at the root of Equifax's devastating 2017 data breach.
Still, Troy Mursch, an independent security researcher with Bad Packets Report, says the service Mirai most hunts for remains an old favorite: telnet.
Mirai-like #malware infections last 365 days by port targeted: https://t.co/jJ77DcDOO3— Bad Packets Report (@bad_packets) 17 March 2019
Top 10 ports/services targeted:
23/tcp - Telnet
5555/tcp - ADB
2323/tcp - Telnet
80/tcp - HTTP
22/tcp - SSH
8080/tcp - HTTP
81/tcp - HTTP
37215/tcp - Huawei
8000/tcp - HTTP
8081/tcp - HTTP pic.twitter.com/kRhegcl8na
US Lawmakers Seek IoT Guidelines
Although Mirai is improving its toolkit, in theory, enterprises should already be ensuring their IoT devices are on the radar and incorporated into patching regimens.
"These developments underscore the importance for enterprises to be aware of the IoT devices on their network, change default passwords, ensure that devices are fully up-to-date on patches," Nigam writes.
Security experts have often laid blame for the state of IoT on manufacturers, which shipped devices with default credentials and did not promptly patch or patch at all.
But the U.S. is pushing for improvements in the equipment that it procures, which could help drive industry change. Last week, legislation was introduced in Congress that would require that IoT devices purchased by the U.S. government meet minimum security standards (see: Congress Considers IoT Cybersecurity Legislation - Again).
The proposed legislation, called the Internet of Things Cybersecurity Improvement Act of 2019, would have National Institute of Standards and Technology draft requirements. The Office of Management and Budget would issue procurement guidelines for agencies, which would then be reviewed every five years.
In May 2018, a report by the commerce and homeland security departments strongly criticized the IoT industry. "Product developers, manufacturers, and vendors are motivated to minimize cost and time to market, rather than to build in security or offer efficient security updates," the report says.
Executive Editor Mathew Schwartz also contributed to this story.