New variant of Mirai botnet malware targets enterprise IoT devices

Mirai was responsible for some of the biggest DDoS attacks ever seen

Security experts from Unit 42, the threat intelligence group of Palo Alto Networks, have discovered a new variant of the Mirai IoT malware, targeting enterprise-focused devices rather than the vulnerable consumer IoT devices.

Researchers found the new variant targeting LG Supersign TVs and WePresent WiPG-1000 Wireless Presentation system, both of which are used by businesses with networks offering larger amounts of bandwidth.

Mirai was responsible for some of the biggest distributed denial-of-service (DDoS) attacks ever seen. The malware takes advantage of old and out-of-date iterations of Linux running CCTV DVRs, webcams, routers and other cheaply thrown together IoT devices to infect them with malware capable of granting even unsophisticated attackers control over networks of hundreds of thousands of devices.

In 2016, the malware delivered massive DDoS attacks against KrebsOnSecurity and French web hosting provider OVH.

In October 2016, the Mirai botnet attacked the Dyn DNS service, sending enormous amount of traffic at authoritative DNS servers, thus making them unable to respond to genuine queries. As a result, several organisations, including CNN, Twitter, and Netflix, which relied on Dyn for authoritative DNS services, were unreachable for several hours.

Unit 42, which investigated the Mirai malware in detail, reveals that the new variant has attained several new capabilities, including 11 new exploits. In total, the malware now contains 27 exploits.

"These new features afford the botnet a large attack surface," Unit 42 researcher Ruchna Nigam wrote in blog post.

In case of LG Supersign TVs, the researchers found LG SuperSignEZ CMS vulnerable to the remote code execution attack because of an incorrect parameter handling.

For WePresent WiPG-1000 system, the malware was found targeting a command-injection vulnerability.

The researchers also found the new variant targeting several embedded hardware products, such as network storage devices, routers (ZTE ZXV10 H108L routers), IP cameras and NVRs.

It's not the first time that researchers have found Mirai trying to infiltrate enterprise networks. Last September, Mirai was noticed targeting the same Apache Struts weaknesses that were exploited by attackers to breach Equifax.

In November 2018, researchers noticed Mirai malware enterprise Linux servers running Hadoop.

The research team now advises enterprises to be more aware of the IoT devices on their network.

The researchers say IT security staff at enterprises should change default passwords of their devices and must also ensure that all devices in the network are up-to-date on patches.

The AI and Machine Learning Awards are coming! In July this year, Computing will be recognising the best work in AI and machine learning across the UK. Do you have research or a project that you think deserves wider recognition? Enter the awards today - entry is free.