Mirai goes Enterprise

March 19, 2019

Yesterday we found a story about a new version of Mirai (a self-propagating botnet that targets IoT devices and was responsible for a massive DDoS attack on Dyn’s servers back in 2016). According to the analysts, this botnet is equipped with a much wider range of exploits, which makes it even more dangerous and allows it to spread faster. More troubling is the fact that the new strain is targeting not only its usual victims — routers, IP cameras, and other “smart” things — but also enterprise IoT devices.

Now Mirai can infect enterprise devices such as high-capacity, enterprise-class wireless controllers, digital signage systems, and wireless presentation systems.

It wasn’t a huge surprise — the Mirai malware’s source code was leaked a while ago and can now be used by almost any attacker with sufficient programming skills. As a result, the Mirai name is peppered throughout Securelist’s Q4 DDoS report. Variations of Mirai malware are also responsible for 21% of all IoT device infections, according to our latest IoT threat report.

Given that Mirai’s code is very flexible and adaptable, it can easily be rearmed with new exploits to widen its range of targets. And that is exactly what happened this time. In addition to the new set of exploits for its usual prey, such as routers, access-points, ADSL modems, and network cameras, it can now infect enterprise devices such as high-capacity, enterprise-class wireless controllers, digital signage systems, and wireless presentation systems.

According to analysts from Palo Alto Networks, the list of new potential Mirai targets consists of:

  • ePresent WiPG-1000 wireless presentation systems,
  • LG Supersign TVs,
  • DLink DCS-930L network video cameras,
  • DLink DIR-645, DIR-815 routers,
  • Zyxel P660HN-T routers,
  • Netgear WG102, WG103, WN604, WNDAP350, WNDAP360, WNAP320, WNAP210, WNDAP660, WNDAP620 devices,
  • Netgear DGN2200 N300 Wireless ADSL2+ modem routers, and
  • Netgear Prosafe WC9500, WC7600, WC7520 wireless controllers.

And that is far from the end of the story. Our experts await new waves of Mirai infections, possibly affecting even industrial IoT devices.

How to protect your devices

To avoid letting your devices fall victim to the Mirai botnet, our security researcher Victor Chebyshev advises businesses to:

  • Install patches and firmware updates on all devices and systems as soon as they are issued;
  • Monitor the volume of traffic coming from each device, because infected devices will have significantly higher traffic;
  • Always change preinstalled passwords and enforce an effective password policy for employees; and
  • Reboot a device if you think it is acting strangely, but bear in mind that although doing so may get rid of existing malware, it won’t on its own reduce the risk of further infection.

Kaspersky IoT Threat Data Feed

To protect companies against the newest IoT-related threats we have released a new intelligence data feed — one specifically collecting data on IoT threats. At this point it contains more than 8,000 records and is being updated every hour. You can implement this feed in routers, Web gateways, smart systems, and individual IoT products as well as make it a part of all-around Threat Intelligence solutions.

It is built on information from our researchers and analysts, as well as on data gathered by a set of honeypots and other traps simulating unprotected IoT devices. If you wish to learn more, or contact the team responsible for integrated technology solutions, please visit the Kaspersky Internet of Things Threat Data Feed Web page.