Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

A new development shows a potential shift to using Mirai to target enterprises

PaloAlto Networks researchers discovered a new variant of the infamous Mirai botnet is targeting IoT devices belonging to businesses. Researchers at PaloAlto Networks spotted a new variant of the infamous Mirai botnet is targeting IoT devices belonging to businesses. Mirai malware first appeared in the wild in 2016 when the expert MalwareMustDie discovered it in massive attacks […]

mirai

PaloAlto Networks researchers discovered a new variant of the infamous Mirai botnet is targeting IoT devices belonging to businesses.

Researchers at PaloAlto Networks spotted a new variant of the infamous Mirai botnet is targeting IoT devices belonging to businesses.

Mirai malware first appeared in the wild in 2016 when the expert MalwareMustDie discovered it in massive attacks aimed at Internet of Things (IoT) devices.

mirai

Since the code of the Mirai botnet was leaked online many variants emerged in the threat landscape. SatoriMasutaWicked MiraiJenX, Omni, and the OMG botnet are just the last variants appeared online in 2018.

A variant discovered last year was leveraging an open-source project to target multiple architectures, including ARM, MIPS, PowerPC, and x86.

The new Mirai variant targets embedded devices (i.e. routers, network storage devices, NVRs, and IP cameras) and leverages various exploits to hack them.

Experts observed attacks against WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs, both families of devices intended for use within business environments.

“In particular, Unit 42 found this new variant targeting WePresent WiPG-1000 Wireless Presentation systems, and in LG Supersign TVs. Both these devices are intended for use by businesses. This development indicates to us a potential shift to using Mirai to target enterprises.” Palo Alto Networks notes

“The previous instance where we observed the botnet targeting enterprise vulnerabilities was with the incorporation of exploits against Apache Struts and SonicWall,”

The malicious code was hosted at a compromised website in Colombia: an “Electronic security, integration and alarm monitoring” business.

Researchers discovered that the new Mirai variant uses a total of 27 exploits, 11 of them are new to the threat. The bot can also leverage a new set of credentials to use while carrying out brute force attacks.

The new malware implements the same encryption scheme characteristic of Mirai, it is also able to scan for vulnerable devices and launch HTTP Flood DDoS attacks.

The samples analyzed by the experts were fetching the same payload hosted at the same IP that had been hosting some Gafgyt samples just a few days before, and that these used the same name as the binaries fetched by the shell script.

“IoT/Linux botnets continue to expand their attack surface, either by the incorporation of multiple exploits targeting a plethora of devices, or by adding to the list of default credentials they brute force, or both.”
Palo Alto Networks concludes. “In addition, targeting enterprise vulnerabilities allows them access to links with potentially larger bandwidth than consumer device links, affording them greater firepower for DDoS attacks,”

Further details, including IoCs are reported in the analysis published by PaloAlto Networks.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Mirai, IoT)

[adrotate banner=”5″]

[adrotate banner=”13″]