Mirai Variant Targets Multiple IoT Vulnerabilities in Recent Campaign

More details

• The variant targets around 22 known security issues in various connected products such as routers, DVRs, NVRs, WiFi communication dongles, thermal monitoring systems, access control systems, and solar power generation monitors. 
• Some of these affected products are from D-Link, Nagios, Arris, Zyxel, TP-Link, SolarView, Nortek, Tenda, and MediaTek.

Infection chain

• The attack chain commences by exploiting one of these flaws, laying the groundwork for executing a shell script from an external resource. 
• This script downloads the botnet client that matches the architectures of a compromised device, such as armv4l, arm5l, arm6l, arm7l, mips, mipsel, sh4, x86_64, i686, i586, arc, m68k, and sparc.
• After execution of the bot client, the shell script downloader deletes the client’s file infection tracks to reduce the likelihood of detection.

Mirai-inspired botnets continue to grow in the wild

• Recently, the Shadowserver Foundation cited active exploitation of a command injection flaw in Zyxel gear by a Mirai-like botnet.
• Another variant, dubbed IZ1H9, was found in large-scale network attacks targeting servers and networking devices running Linux. 
• In February, a Mirai variant, tracked as V3G4, exploited 13 different vulnerabilities in three different campaigns to launch massive DDoS attacks.

Ending lines