A new Mirai variant comes with eleven new exploits, the enterprise WePresent WiPG-1000 Wireless Presentation system and the LG Supersign TV being the most notable new devices being targeted.
A previous report by Palo Alto Networks’ Unit 42 from September saw a strain of the Mirai botnet switching targets to attack Apache Struts servers using an exploit also employed during last year’s Equifax breach, while a new Gafgyt version was observed while assailing SonicWall firewalls, as part of a larger move against enterprise assets.
In both those instances, the Unit 42 security researchers saw exploits of older and already patched vulnerabilities used in the attacks, hinting at the threat actors trying to make their work easier by compromising unpatched devices impacted by severe security flaws such as the CVE-2017-5638 for Apache Struts.
Mirai attacks against enterprise devices mounting up
This time, as previously mentioned, the researchers found that, besides its usual marks represented by routers, network video cameras, modem routers, and wireless controllers, the Mirai version detected during January 2019 is now also scanning for and exploiting LG Supersign TVs and WePresent WiPG-1000 Wireless Presentation systems present in enterprise environments.
On top of that, with the 11 new exploits added by its masters to be used in the attacks, the total now reaches 27. As further discovered by Unit 42, the botnet’s malicious payload is hosted on a Colombian company’s server which, ironically, provides “electronic security, integration and alarm monitoring” services.
“These new features afford the botnet a large attack surface. In particular, targeting enterprise links also grants it access to larger bandwidth, ultimately resulting in greater firepower for the botnet for DDoS attacks,” according to Unit 42.
|CVE-2018-17173||LG Supersign TVs|
|WePresent WiPG-1000 Command Injection||WePresent WiPG-1000 Wireless Presentation systems|
|DLink DCS-930L Remote Command Execution||DLink DCS-930L Network Video Cameras|
|DLink diagnostic.php Command Execution||DLink DIR-645, DIR-815 Routers|
|Zyxel P660HN Remote Command Execution||Zyxel P660HN-T routers|
|CVE-2016-1555||Netgear WG102, WG103, WN604, WNDAP350, WNDAP360, WNAP320, WNAP210, WNDAP660, WNDAP620 devices|
|CVE-2017-6077, CVE-2017-6334||Netgear DGN2200 N300 Wireless ADSL2+ Modem Routers|
|Netgear Prosafe Remote Command Execution||Netgear Prosafe WC9500, WC7600, WC7520 Wireless Controllers|
Newly added exploits
The new Mirai variant spotted by Unit 42 also comes with a handful of new features:
Mirai is a self-propagating botnet created by Paras Jha, Josiah White, and Dalton Norman, originally designed to target Internet of Things (IoT) devices such as routers, digital video recorders, and IP cameras, transforming them into “bots” upon successful compromise which can later be used as sources for large-scale Distributed Denial of Service attacks.
During 2016, some malicious actors were advertising huge Mirai botnets of hundreds of thousands of infected devices capable of DDoS attacks over 650Gbps and managing to impact hundreds of thousands of devices [1, 2] during a single campaign.
Mirai still going strong despite creators’ getting caught
It all started after Jha posted the Mirai’s source code on a hacking forum during 2016 and, since then, other bad actors have used to create numerous other botnets using the code he shared as a starting point, most of them being on at least the same level of sophistication but, once in a while, adding newer and more complex attack tools [1, 2, 3, 4, 5, 6].
While their “masterpiece” was and is being improved by others and it still going strong as proven by Unit 42’s newest report on the new Mirai variant, Jha, White, and Norman were indicted and pleaded guilty for their role in the creation of the malware during December 2018, after Jha was first questioned by the FBI in January 2017 and the US authorities charged all three of them in May 2017.
Paras Jha was sentenced during October and ordered “to pay $8.6 million in restitution and serve six months of home incarceration” according to a DoJ release from October 26, 2018.