Mirai Malware Variants Increasingly Targeting Enterprise IoT Devices

Mirai Malware Variants Increasingly Targeting Enterprise IoT Devices

Malware variants that evolved from the original Mirai malware are increasingly targeting enterprise IoT devices, putting at risk enterprise networks from being exploited for nefarious activities such as distributed denial-of-service (DDoS) attacks and illicit cryptocurrency mining, as well as putting at risk enterprise cloud architecture from additional malware and further compromise.

Tracking the Mirai

The original Mirai malware was created by Paras Jha, Josiah White and Dalton Norman. The 3 creators of the Mirai malware in due course were arrested and sentenced by U.S. authorities. Prior to their arrest and sentencing, the source code of the Mirai malware was publicly released. The publication of the source code propelled the creation of multiple versions of Mirai to propagate in the wild. 

Mirai was first observed in the wild in 2016. The Mirai malware gained notoriety when the malware was used by the still unidentified attacker or attackers in launching a distributed denial-of-service (DDoS) attack on Dyn DNS, amajor dynamic DNS provider, which resulted in the widespread internet outages across the U.S. and Europe2016.

According to the IBM X-Force researchers, since 2016, there have been 63 Mirai variants observed in the wild. The researchers said that the multiple variants of Mirai have been used to perform nefarious activities such as DDoS attacks and illicit cryptocurrency mining.

In a DDoS attack, attackers overwhelm a target, such as a website or in the case of Dyn DNS, adynamic DNS provider, with voluminous traffic, bringing the target offline and rendering it inaccessible to legitimate users. Illicit cryptocurrency mining, meanwhile, refers to the use of the computing power without the knowledge and consent of the computer owner.

The Mirai malware variants are able to perform DDoS attacks and illicit cryptocurrency mining by infecting computers with security vulnerabilities and enslaving these infected computers to form as an army, also known as botnet, and perform activities such as DDoS or cryptocurrency or other activities according to the whim of the attacker controlling the botnet. The Mirai malware is a powerful tool for malicious actors as this malware allows them to automate the process of downloading any number of malware onto a large number of IoT devices.

Owners of IoT devices typically don’t consider these devices as computers. These devices are often installed and then forgotten. Unlike other computers such as desktops or laptops, IoT devices aren’t monitored for irregular behaviour, nor updated or their login details changed.

The original malware created by Jha, White and Norman infected hundreds of thousands of IoT devices, such as routers and security cameras and controlled these infected devices to form an army or a botnet to perform illegal activities such as DDoS attacks. The creators of the original malware were able to infect hundreds of thousands of IoT devices knowing that many IoT owners don’t bother to change the factory default logins details of these devices. The original Mirai uses 61 factory default login details in infecting IoT devices.

Enterprise IoT Devices at Risk

IBM X-Force researchers, which have been tracking Mirai campaigns since 2016, said that the Mirai variants’ tactics, techniques and procedures (TTPs) are now targeting enterprise IoT devices.

“Nowadays, enterprise IoT devices are everywhere, from instruments that monitor patients in hospitals, to wireless devices in smart meters that relay information to utility companies, to robots in warehouses that constantly deliver inventory information,” IBM X-Force researchers said. “Enterprises are increasingly dependent on IoT devices to run day-to-day operations, and attackers are well-aware of the growing attack surface.”

“As IoT devices become more common among households and large organizations, Mirai and its variants will continue to evolve to adapt to the changing environments and targets of its choice,” IBM X-Force researchers added.

The researchers observed that creators of the Mirai malware variants were dropping additional malware onto the infected devices, with cryptocurrency malware leading the way. Cryptocurrency malware, which steals the computing power of infected IoT devices to generate money for the attackers, are harmful to IoT devices as these devices are prone to overheating as these devices have little computing power compared to desktop or laptop computers with central processing unit (CPU) or graphics processing unit (GPU) resources. IBM X-Force researchers also observed that creators of Mirai malware variants were dropping steganography, which hides malicious code in images that trigger the download of additional malware.

The researchers also said that the Mirai malware variants pose a threat to cloud computing as IoT devices infected with Miral malware variants that are connected to cloud architecture could allow attackers to gain access to cloud servers. Once these malicious actors gain access to cloud servers, they could drop additional malware, the IBM X-Force researchers said.

In early 2009, researchers at Palo Alto Networks' Unit 42discovered a variant of the Mirai malware targeting WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs–IoT devices used by businesses. Targeting IoT devices used by businesses, according to researchers at Palo Alto Networks' Unit 42, gives attackers a large attack surface as IoT devices used by businesses have larger bandwidth, giving the attackers greater firepower for attacks such as DDoS attacks.

Prevention

As malicious actors are increasingly targeting enterprises IoT devices, it’s important to change the factory default usernames and passwords of these devices and to install the latest security update. If the IoT vendor no longer issues security updates or it isn’t possible to install security updates on these devices, it’s best to remove these devices from your organization’s network.

Get in touchwith our experts for additional threat information and to help you mitigate cybersecurity risks.