How to protect against Mirai botnet IoT attacks

With Mirai malware targeting enterprises again, Synopsys’ Tim Mackey advises on how to protect your network.
20 March 2019

The Mirai botnet targets wireless presentation systems, among other devices. Source: Shutterstock

A new variant of the infamous IoT/Linux botnet Mirai is targeting enterprises via wireless presentation systems and TVs, according to a recent report from cybersecurity firm, Unit 42.

Everyone remembers the Mirai DDoS attacks from back in 2016. Fast forward to 2019, and the new variant is targeting different embedded devices like routers, network storage devices, NVRs (network video recorders) and IP cameras, and using exploits among them.

Unit 42 found the new variant targeting WePresent WiPG-1000 Wireless Presentation systems and in LG Supersign TVs. Both these devices are intended for use by businesses.

This new variant includes new exploits in its multi-exploit battery as well as new credentials to use in brute force against devices.

These new features afford the botnet a large attack surface, and by targeting enterprise links it also grants access to larger bandwidth, giving even more firepower for the botnet for DDoS attacks.

It makes use of the same encryption scheme as is characteristic of Mirai with a table key of “0xbeafdead”.

When Unit 42 decrypted strings using this key, they found certain unusual default credentials for brute force that they had not come across before, listed here.

The shell script payload is still live and being fetched by the exploits in this variant which is hosted at a compromised website for “Electronic security, integration and alarm monitoring” business in Colombia.

Additionally, the binaries downloaded by the shell script were named in the format “clean.[arch]” (e.g. clean.x86, clean.mips etc.), but these are not hosted on the website anymore.

Unit 42 said that pivoting on the payload source revealed some samples fetching the same payload that were hosted at 185[.]248.140.102/bins/.

It appears that the same IP was hosting some Gafgyt samples using the name “eeppinen.[arch]” a few days prior to the upgrade to this new multi-exploit variant.

All in all, the cybersecurity firm believes that enterprises need to be aware of the IoT devices in their network, change default passwords, ensure that devices are fully up-to-date on patches.

In the case of being unable to patch these devices, enterprises need to be ready to remove them for the network as they could pose a cybersecurity risk.

How to reduce the risk of a Mirai botnet attack

For Tim Mackey, senior technical evangelist at Synopsys, thee questions need to be asked when deploying an IoT device of any type;

  • Have we configured strong credential access?
  • What is our update strategy for firmware changes?
  • What URLs and IP address does the device need for its operation?

The Mirai botnet works by exploiting known vulnerabilities within the toolchain or operating framework of the IoT device and weak credentials, he explained.

“When IoT devices are deployed within a business environment, best practice dictates a separate network segment known as a VLAN should be used,” said Mackey.

“This then allows for IT teams to monitor for both known and unknown traffic impacting the devices. It also allows teams to ensure that network traffic originates from known locations.”

If a conference room projector is accessible via wifi, for example, the network the device uses should be restricted to only internal and authenticated users. Public access to the device should always be restricted.

By following this model, malicious actors must first compromise a computer belonging to an authenticated user.

“Regular IT audits of IoT networks should then be performed to ensure only known devices are present and with the device’s identification mapped back to an asset inventory containing a current list of firmware version and a list of open source components used within that firmware,” said Mackey.

“This open source inventory can then be used to understand when an open source vulnerability impacting a library used within the firmware has a published vulnerability.

“Armed with this information, a proactive update and patching model can be created for corporate IoT devices.”