New Mirai botnet variant takes aim at enterprise IoT

The infamous Mirai botnet is again making headlines after security researchers from Palo Alto Networks discovered a variant form of the malware has begun targeting smart signage TVs and wireless presentation systems, TechRadar reported. Security professionals have known about this new strain since early 2019, but until recently it had not been actively weaponized. Initial investigations found that the authors outfitted older versions of the malware with updated capabilities, including 11 IoT-focused exploits tailored for enterprise environments.

Mirai's self-propagating malware is used to infect internet-connected devices that are not adequately secured, specifically those that utilize default usernames and passwords. Once infiltrated, each device can be leveraged as part of a large-scale DDoS attack, which overwhelms a targeted server by flooding it with more web traffic than it can handle, often disabling a website or computer system entirely — the more devices a botnet can assimilate, the greater its output potential. The new wave of malware poses a major risk to companies across all industries, as IoT devices have become a core feature of many operational environments.

A brief history
The first wave of Mirai botnet attacks started in September 2016, when OVH (a French cloud computing company) was hit by a powerful DDoS attack, according to a CSO report. The company was targeted as a means of taking down a popular anti-DDoS security tool used by Minecraft server hosts, though OVH managed to restore the service shortly after. Following the successful attack, the creator of the Mirai malware posted the code online, which was quickly scooped up by other would-be botnet operators.

On Oct. 12, 2016, the Mirai botnet was used to launch an immense network-level attack against Dyn, an industry-leading infrastructure company that provides DNS services to several high-profile websites, such as GitHub, Twitter, Reddit and Netflix. FBI investigators commented that the incident was likely targeting game servers owned and operated by Microsoft, but several other companies were impacted as a result. One month later, Mirai led to a mass shutdown of Deutsche Telekom routers that affected over 900,000 customers — the malware exploited a TR-069 protocol vulnerability that allowed the botnet to hijack the network routers with minimal resistance, Incapsula reported.

Enterprise IoT is the latest target of Mirai malware infection attempts and botnet expansion.

Mirai now targets enterprise IoT
Mitigating the effects of Mirai malware has been extremely difficult, as every new variant increases the botnet's ability infect larger numbers of IoT devices and expand into networks with higher available bandwidth. While the most recent strain is not the first time Mirai has targeted enterprise environments, it does represent a clear shift toward the exploitation of industrial assets. Previous iterations of the malware were primarily used to infect a wide range of consumer devices, including routers, modems and DVRs, yet the new strain has been specifically designed to infect LG's Supersign TVs and the WePresent WiPG-1000 wireless presentation system, according to TechTarget.

The best way to protect IoT devices from infection is for companies to partner with trusted manufacturers to bolster their security protocols. Additionally, enterprise IT managers must update the credentials for all devices before they are fully deployed, as Mirai malware typically spreads through exposed Telnet ports that utilize default usernames and passwords. Investing in secure and scalable serial console servers that enable streamlined remote data center administration and out-of-band management of IT assets is another effective precaution, as it's only a matter of time before cybercriminals develop an industrial-focused variant of Mirai malware.

Luckily, Perle offers industry-grade connectivity tools that can help companies safeguard their mission critical operations and maintain their system sustainability over the long term. Read some of our customer stories to find out how we've helped other security-minded companies improve their infrastructure and stay connected when it mattered most.