Security researchers have discovered a new variant of the feared Mirai botnet that not only infects a range of routers, but also IP cameras, network storage devices, NVRs, WePresent WiPG-1000 Wireless Presentation systems, and LG Supersign TVs.
This new variant was discovered first in January this year and features as many as eleven new exploits as well as new credentials to use in brute force attacks on IoT devices. The new exploits enable cyber criminals to target a range of IoT devices used by enterprises and then leverage hijacked devices to target the enterprises themselves.
“These new features afford the botnet a large attack surface. In particular, targeting enterprise links also grants it access to larger bandwidth, ultimately resulting in greater firepower for the botnet for DDoS attacks.
These developments underscore the importance for enterprises to be aware of the IoT devices on their network, change default passwords, ensure that devices are fully up-to-date on patches. And in the case of devices that cannot be patched, to remove those devices from the network as a last resort,” said researchers at Palo Alto’s Unit 42.
How powerful the new Mirai variant is can be gauged by the fact that including the eleven new exploits, it features a total of 27 exploits which can enable it to infect a wide range of IoT devices and other connected equipment used by organisations. It uses the domain epicrustserver[.]cf at port 3933 for C2 communication and can be commanded to send out HTTP Flood DDoS attacks.
Flaws in enterprise IoT devices can be easily addressed
“This evolution of IoT based botnets targeting the enterprise makes sense. Enterprises are rapidly adopting IoT technologies, such as the WePresent system and the LG Supersign TV, and vulnerable IoT devices within enterprise networks increases attacker motivation due to more lucrative financial returns via extortion, intellectual property theft and such,” said Lane Thames, senior security researcher at Tripwire.
He added that the what worries him most is that the organisations in the digital industry still have a long way to go in terms of maturing their secure development practices. The vulnerabilities that allow the new Mirai variant to affect WePresent and the Supersign TV are a classic case of a web application not sanitizing user input (input that a user/attacker can control when interacting with the web application) and can be easily addressed with modern development frameworks.
“Organisations developing web-based products should have mechanisms in place to catch such low hanging “fruit” as this during their development and QA processes. Don’t get me wrong, developing secure software is hard, and there is no such thing as perfect security. But, we should have graduated beyond this level of trivialness by now.
“Unfortunately, cyber defenders are fighting an uphill battle, and scale is one of our biggest challenges. Countless systems are being developed and rushed to market and this is coupled with a growing talent pool of developers and engineers that have not been trained in any way around cybersecurity along with businesses that don’t understand the need for secure product development. Mirai and likely many other types of IoT based botnets are here to stay for a very long time,” he added.