Additions to the Murai botnet suggest those behind the automated IoT-based attack mechanism are turning more to enterprise devices, says a report from Palo Alto Networks.
The company’s Unit 42 threat intelligence division said Monday that new targets of the botnet include the WePresent WiPG-1000 Wireless Presentation systems and LG’s Supersign TVs. Businesses that use these devices should ensure they are password-protected.
Also new on the botnet’s list are exploits for DLink DCS-930L Network Video Cameras, DLink DIR-645 and DIR-815 home routers, the Zyxel P660HN-T routers. and a number of access points and wireless controllers from Netgear.
They join earlier enterprise targets including products from SonicWall and an exploit of the Apache Struts web framework.
This new Murai varient also includes more credentials to use in brute force against devices.
And in an ironic twist, the report says the malicious payload was hosted at a compromised website in Colombia belonging to an unnamed electronic security, integration and alarm monitoring company.
“These new features afford the botnet a large attack surface,” says the report. “In particular, targeting enterprise links also grants it access to larger bandwidth, ultimately resulting in greater firepower for the botnet for DDoS attacks.
“These developments underscore the importance for enterprises to be aware of the IoT devices on their network, change default passwords, ensure that devices are fully up-to-date on patches. And in the case of devices that cannot be patched, to remove those devices from the network as a last resort.”
Murai is a botnet composed of hundreds of thousands of routers, network storage devices, NVRs, and IP cameras to deliver malware and launch distributed denial of service (DDoS) attacks. Some of the biggest DDoS victims have been web hosting provider OVH, DNS provider Dyn and the web site of security reporter Brian Krebs.
Three Americans who created the Murai botnet have been fined, forced to give up cryptocurrency and sentenced to five years probation. However, one of the group posted the source code so criminals have copied it to set up their own versions and continue spreading malware.
Commenting on the two new device targets listed in the Palo Alto report, Lane Thames, senior security researcher at Tripwire, said the news shows the computing industry still has a long way in toughening up secure development practices. The two vulnerabilities affecting WePresent and the Supersign TV “are trivial to exploit, but, more concerning, is that they are trivial to prevent. These two vulnerabilities are a classic case of a web application not sanitizing user input (input that a user/attacker can control when interacting with the web application). These two vulnerabilities are very basic and easily addressed with modern development frameworks. Further, organizations developing web-based products should have mechanisms in place to catch such low hanging “fruit” as this during their development and QA processes.
“Don’t get me wrong,” he added, “developing secure software is hard, and there is no such thing as perfect security, but, we should have graduated beyond this level of trivialness by now.”