The infamous IoT botnet Mirai has a new variant which is specifically configured to target embedded enterprise devices such as presentation system devices, surveillance systems and network storage devices.
The discovery of the latest Mirai variant was made by Palo Alto Networks’ Unit 42.
Technical Overview of the New Mirai Variant
The researchers found that the botnet was targeting WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs, both of which are entirely meant for business use.
This latest development indicates “a potential shift for using Mirai to target enterprises”, the official report said.
The previous version detected in the wild targeted enterprise vulnerabilities in Apache Struts and SonicWall, so this shift is most likely becoming a trend. As for the new one, it includes 11 new exploits in a “multi-exploit battery”, and new credentials to deploy in brute force attacks.
The researchers also discovered that the malicious payload was hosted on a compromised website in Colombia which belonged to a business focused on electronic security, integration and alarm monitoring.
What are the Mirai new features all about?
The new features help the botnet build a large attack surface. It turns out that by targeting enterprise links, the botnet gets access to larger bandwidth which can be utilized in more powerful DDoS attacks.
These developments underscore the importance for enterprises to be aware of the IoT devices on their network, change default passwords, ensure that devices are fully up-to-date on patches. And in the case of devices that cannot be patched, to remove those devices from the network as a last resort, Unit 42 said in their report.
The devices the new Mirai targets are by vendors such as LG, D-Link. Netgear, ZTE, and Linksys.
Unit 42 is urging enterprises to be aware of the IoT devices on their network, and to change default passwords. Enterprises should also make sure that all their devices are up-to-date. It’s also crucial to note that devices that cannot be patched for one reason or another may need to be removed from the network as a precaution.