Mirai Variant Goes After Enterprise Systems

mirai botnet iot

The newest Mirai variant is targeting WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs used by enterprises.

Researchers have discovered a new variant of the infamous Mirai IoT botnet, which has been sniffing out and targeting vulnerabilities in enterprise wireless presentation and display systems since January.

Palo Alto Network’s Unit 42 researchers said that the newest variant of Mirai is notably different because it is targeting enterprise-focused devices as opposed to vulnerable consumer IoT devices; namely, it has been targeting WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs.

Both these devices are intended for use by businesses, researchers said.

For the LG Supersign TVs, the LG SuperSignEZ CMS, which many of the TVs have built in, is prone to the remote code execution attack due to an improper parameter handling (CVE-2018-17173), according to an advisory. For the WePresent WiPG-1000, the variant is targeting a command-injection vulnerability.

WePresent and LG did not respond to comments from Threatpost on the vulnerabilities in the devices.

In addition to these commercial devices, the variant is also targeting various embedded hardware like routers (including Linksys E1500/E2500 routers and ZTE ZXV10 H108L routers), network storage devices, NVRs and IP cameras (Netgear ReadyNAS Surveillance 1.4.3-16 and NUUO NVRMini devices), and using numerous exploits against them.

The variant contains a total of 27 exploits – 11 of which are new to Mirai, researchers said.

“These new features afford the botnet a large attack surface. In particular, targeting enterprise links also grants it access to larger bandwidth, ultimately resulting in greater firepower for the botnet for DDoS attacks,” researchers said in a Monday post. They added, “The previous instance where we observed the botnet targeting enterprise vulnerabilities was with the incorporation of exploits against Apache Struts and SonicWall.”

Mirai is best known for being used in a massive, unprecedented DDoS attack that compromised more than 300,000 IoT devices to take down major websites in 2016.

In addition to using fresh exploits, the Mirai variant is also continuing to mount brute-force attacks against devices, this time with new default credentials added to its arsenal.

Upon further inspection of the variant, researchers said they found certain “unusual default credentials for brute force” that they haven’t come across until now, including: admin:huigu309, root:huigu309CRAFTSPERSON:ALC#FGU and root:videoflow.

mirai botnet variant

Once the devices are compromised, the malware fetches the Mirai payload for the variant and the device is added to the botnet — which ultimately can be used to send out HTTP flood DDoS attacks.

The variant’s shell script payload is still live, and interestingly is hosted at a compromised website for an “electronic security, integration and alarm monitoring business in Colombia, researchers said.

“IoT/Linux botnets continue to expand their attack surface, either by the incorporation of multiple exploits targeting a plethora of devices, or by adding to the list of default credentials they brute-force, or both,” researchers said. “In addition, targeting enterprise vulnerabilities allows them access to links with potentially larger bandwidth than consumer device links, affording them greater firepower for DDoS attacks.”

Variants of Mirai continue to pop up as cybercriminals tap into a growing rate of vulnerable Internet of Things devices. In April 2018 a variant of the Mirai botnet was used to launch a series of distributed denial of service campaigns against financial sector businesses; while this past September researchers discovered new variants for the infamous Mirai and Gafgyt IoT botnets targeting well-known vulnerabilities in Apache Struts and SonicWall.

Don’t miss our free live Threatpost webinar, “Exploring the Top 15 Most Common Vulnerabilities with HackerOne and GitHub,” on Wed., Mar 20, at 2:00 p.m. ET.

Vulnerability experts Michiel Prins, co-founder of webinar sponsor HackerOne, and Greg Ose, GitHub’s application security engineering manager, will join Threatpost editor Tom Spring to discuss what vulnerability types are most common in today’s software, and what kind of impact they would have on organizations if exploited.

Suggested articles