WootCloud Blog

They’re Back… Mirai Variant Botnets Attack IoT and Infrastructure Once Again

One of the most well-known botnets ever to exist continues to plague PCs and connected devices is back.

Cyberattackers and criminals continue to take advantage of lax Internet of Things (IoT) security in widespread attacks using botnets built from the Mirai codebase.

Computers and other connected devices, including IoT and NAS storage, are compromised through this Mirai-based variant which preys on weak credentials, vulnerabilities, exploit kits, and other security weaknesses.

The most well known of these, perhaps, is Mirai, which debuted catastrophic DDoS attacks in 2016 against DNS provider Dyn, the website of cybersecurity expert Brian Krebs, and many many more.

Per AT&T Alien Labs, the latest variant “BotenaGo” contains exploits for more than 30 vulnerabilities in multiple vendor products including Linksys, D-Link, Netgear, ZTE, and more to spread Mirai botnet malware.

According to Alien Labs, just three out of 60 AV on VirusTotal are currently capable of detecting the malware, so there is work to do.

Actions You Can Take Today

Threat actors are commonly using the below vulnerabilities in exploit kits to compromise IoT devices and increase the power of their networks:

  • CVE-2018-4068, CVE-2018-4070 and CVE-2018-4071: Information leaks in Sierra Wireless AirLink (ES450 FW version 4.9.3)
  • CVE-2019-12258, CVE-2019-12259, CVE-2019-12262 and CVE-2019-12264: DoS vulnerabilities in the Wind River Systems VxWorks RTOS
  • CVE-2019-12255, CVE-2019-12260, CVE-2019-12261 and CVE-2019-12263: Memory corruption flaws in the VxWorks RTOS
  • CVE-2021-28372: An authentication bypass bug in the ThroughTek Kalay P2P SDK (versions 3.1.5 and earlier)
  • CVE-2021-31251: An improper authentication issue in Chiyu Technology firmware

“The cybercriminal underground will continue to build off of Mirai, targeting every piece of equipment it can as the IoT market continues to boom,” the cybersecurity firm says.

Intel 471 recommends that organizations implement IoT device monitoring processes, perform regular security audits, routinely change up credentials and keys, and maintain regular patch application cycles.

Refer to our Back to Basics series for password management, or click here for a list of default passwords for 548 router brands and start updating one by one here: https://www.routeripaddress.com/

The following associated detection methods are in use by AT&T Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research. CVEs included as well.

Consider Intelligent Security Automation with Nuanced Control

Our mission, like yours, is to provide your employees, students, faculty and more with a safe, user-friendly and secure environment by:

  • Giving Full visibility – with RF and Network sensors seeing 100% of your devices and infrastructure encompassing all stages of attack – infiltration, persistence, and exfiltration
  • Reducing Mean Time to Resolution (MTTR )– with AI/ML-powered, automated remediation that drives >70% reduction in threat hunting times
  • Boosting User Experience – by reducing support ticket volumes, lowering alert noise for a >60% gain in operational efficiency (~1.4 FTE Service Savings per site/ per shift)

Each of these benefits on their own can offer 5-6 figure USD savings per year, shortening the payback period on your investment.

The perfect cybersecurity storm has arrived. Consider intelligent device and infrastructure security today.

To learn more in a zero touch, no obligation Demo or POC, please contact us.

Share this post with your network.

Share on linkedin
LinkedIn
Share on twitter
Twitter
Share on facebook
Facebook
Contributing Authors:

Andreas Stenzel

Share this post with your network.

Share on linkedin
Share on twitter
Share on facebook

This website uses cookies to ensure you get the best experience on our website.