A new variant of Mirai just before Christmas? Sure, why not!
Qihoo 360 Netlab researchers just witnessed new uptick while tracking botnet activity associated with a new variant of the well-known Mirai IoT malware. Users should be aware that ports 23 and 2323 on IoT devices manufactured by ZyXEL Communications are targeted. The devices are known to be using default admin/CentryL1nk and admin/Qwestm0dem telnet credentials, researchers reported.
About 60 hours ago, since 2017-11-22 11:00, we noticed big upticks on port 2323 and 23 scan traffic, with almost 100k unique scanner IP came from Argentina. After investigation, we are quite confident to tell this is a new Mirai variant.
The research team observed two new credentials – admin/CentryL1nk and admin/QwestM0dem – in their honeypot traffic. Apparently, the two ports are currently used in an active manner. It should be noted that credential admin/CentryL1nk was first appeared in an exploit about ZyXEL PK5001Z modem in exploit-db less than a month ago.
Mirai emerged last year when it started spreading and affecting IoT devices accessing them via default password and usernames. Affected devices were included in a botnet which was deployed for distributed denial of service attacks (DDoS). DNS provider Dyn was one of the biggest victims leading to attacks on popular platforms such as Twitter and Netflix.
In February this year the botnet was even equipped with a Windows variant, Trojan.Mirai.1, as revealed by security researchers at Dr. Web. The new variant targeted Windows and could compromise more ports than its Linux counterpart. Trojan.Mirai.1 was also infecting IoT devices and carrying out DDoS attacks, as with the Linux version.
As mentioned already, current attacks are taking advantage of two new credentials (admin/CentryL1nk and admin/QwestM0dem). Apparently, hackers successfully automated the process of logging into ZyXEL devices via telnet credentials. A separate hard coded superuser vulnerability identified as CVE-2016-10401 was also leveraged to gain root privileges on targeted devices.
Details about CVE-2016-10401
ZyXEL PK5001Z devices have zyad5001 as the su password, which makes it easier for remote attackers to obtain root access if a non-root account password is known (or a non-root default account exists within an ISP’s deployment of these devices).
Researchers have been observing a troublesome trend involving attackers actively exploiting publicly disclosed details of this exploit since it was first released in October.
Qihoo 360 researchers reported that the exploitation of the two credentials mentioned above started on November 22. The team detected that most of the scanner IP traffic came from Argentina with approximately 65.7 thousand unique scanners in less than a day.
This is not the first time ZyXEL gear gets compromised
Several months ago, researcher Stefan Viehböck reported that WiMAX routers created by ZyXEL were susceptible to an authentication bypass that could enable a malicious actor to change the password of the admin user, obtain access to the targeted device or even the network itself.
Another researcher, Pedro Ribeiro, came across accessible admin accounts and command injection flaws in routers manufactured by ZyXEL and distributed by TrueOnline, or the biggest broadband company in Thailand.
How to protect your IoT devices – some useful tips
There are several guidelines that all IoT device owners should follow to protect their networks and hosts from malicious intrusions and other security threats. These measures do not require large amounts of time which is often brought up as a reason not to employ all measures. Depending on the environment there may be some differences in the scale of configuration changes. Nonetheless, we are giving you the more general tips which should provide adequate security against most threats.
- Minimize Non-Critical Network Exposure – This is actually one of the simplest ways to minimize hacker attacks. This is also one of the easiest measures that device owners can implement. This policy mandates that all unused features and services that the user does not use should be switched off. If the device is a non-critical one (important services do not depend on it) it can also be switched off when not in use. A good firewall setup that prevents administrator access from external networks can protect against brute force attacks. Devices that serve important functions can be segmented into another zone from the primary work or home network.
- A Thorough Setup – Many intrusion attacks are carried by using two popular methods – brute force and dictionary attacks. They act against the authentication mechanisms of the appliances. System administrators can enforce a strong password policy and measures that defend against brute force attacks by adding intrusion detection systems. Using secure protocols is also a good idea – VPN and SSH with a proper security configuration.
- Security Updates – Not providing security updates to the owned appliances is probably one of the biggest problems that lead to intrusion attacks. It is important to perform regular updates, click to learn more.
- Implement Additional Security Measures – When IoT devices are used in a corporate or production environment there are several ways to strengthen the security. These include penetration testing, proactive network management and analysis methods.