New Mirai malware variant targets enterprise devices
Researchers from Palo Alto Networks have spotted a new variant of the Mirai botnet that is targeting enterprise presentation systems and digital signage with 11 new exploits.
A new variant of the Mirai malware is going after wireless presentation and display systems, indicating a potential shift in using Mirai to target enterprises.
Spotted by Palo Alto Networks' Unit 42 researchers earlier this year, the new Mirai variant attacked WePresent WiPG-1000 wireless presentation systems and LG Supersign TVs, which are primarily used by enterprises. The Mirai malware variant includes 11 new exploits for a total of 27, according to a report from Unit 42 researchers. The variant also infects other connected devices, like routers, network storage devices, network video recorders and IP cameras.
Unit 42 researchers also said this isn't the first time Mirai malware has attacked enterprise devices, noting the discovery of a variant that exploited vulnerabilities in SonicWall products and Apache Struts server software.
"Enterprises have access to greater bandwidth than consumers do," said Ryan Olson, vice president of threat intelligence for Unit 42 at Palo Alto Networks. "This focus could be part of a search for greater bandwidth for great DDoS [distributed denial-of-service] attacks."
Mirai gained public attention in 2016 when hackers used it to create a botnet that took advantage of insecure IoT devices and launched a massive DDoS attack against infosec journalist Brian Krebs.
Another feature of the Mirai malware variant is it includes new credentials to use in brute force against devices, including four new username-password combinations: admin:huigu309; root:huigu309; CRAFTSPERSON:ALC#FGU and root:videoflow.
In addition to scanning for vulnerable devices, the new Mirai variant can also be commanded to send out HTTP flood DDoS attacks, according to the report. It uses the domain epicrustserver[.]cf at port 3933 for C2 communication.
Bad actors have an infinite number of reasons to go after connected devices in the enterprise, said Katell Thielemann, a vice president at Gartner.
"When it comes to this particular variant, which targets enterprise assets like presentation systems or digital signage, any number of use cases comes to mind -- from overwhelming enterprise systems with distributed denial-of-service attacks to recording sensitive boardroom conversation for financial gain in the stock market, or competitive intelligence on important bids," Thielemann said in an email interview.
Defending against Mirai botnet attacks
Ryan OlsonVice president of threat intelligence for Unit 42 at Palo Alto Networks
Enterprises need to realize that risks, threats and vulnerabilities now clearly exist along a broad cyber-physical continuum, with incidents in the cyber world now affecting physical-world activities and vice versa, Thielemann said.
"As such, they need to elevate risk management to an enterprise level," she said. "This is not an IT or information security problem; this is an enterprise-level problem. It means better controlling what is bought via tighter supply chain security. It means implementing sound network architecture disciplines, like microsegmentation. It also means an increased focus on employee outreach and training so they realize security is everyone's job."
Bryce Austin, CEO of cybersecurity consulting firm TCE Strategy, said simple steps like ensuring devices are fully up to date on patches and changing default passwords can take the teeth out of this threat and future threats to come.
For devices that cannot be patched, the Unit 42 report advised enterprises to remove those devices from the network.
"Security cameras need to be behind next-generation firewalls that can automatically put up defenses against these new threats in near-real time," Austin said in an email interview.
Austin said another effective way to protect connected devices against this new Mirai malware variant is to segregate internet-facing devices from the rest of the internal network so they can't be used as a launching point for an internal attack.
"Egress filtering needs to be turned on so that internet-facing devices can only send the type of traffic and the amount of traffic that is appropriate for their purpose," he added.