Mirai Variants Still Threatening IoT Devices By Adding New Exploits In Comtrend Routers

Mirai, the first major botnet threat targeting IoT devices globally since August 2016, has been updated recently to exploit more devices and expand its arsenal yet further.

Another new variant

A new variant of Mirai botnet was found targeting specific versions of IP cameras, smart TVs, and routers, by exploiting a mix of new and old vulnerabilities in various popular brands.
  • In July, a new variant of Mirai (detected as IoT.Linux.MIRAI.VWISI) was identified, spreading via Telnet and Secure Shell (SSH) brute-forcing methods, like all other Mirai variants. 
  • One of the vulnerabilities exploited by it is CVE-2020-10173, a multiple authenticated command injection vulnerability in Comtrend VR-3033 routers, that is reportedly used for the first time by any Mirai variant. Another new vulnerability exploited affects the Netlink GPON router 1.0.11.
  • Besides, it also exploits vulnerabilities in other popular brands including AVTECH IP Camera / NVR / DVR Devices, D-Link Devices, MVPower DVR, Symantec Web Gateway, and ThinkPHP.

Other recent Mirai variants

In recent months, various new variants of Mirai botnet have been identified by researchers.
  • In May, new campaigns of the Hoaxcalls and Mirai botnets observed targeting a post-authentication Remote Code Execution vulnerability in Symantec Secure Web Gateway 5.0.2.8.
  • In March, another variant of Mirai malware dubbed Mukashi was seen taking advantage of a vulnerability (CVE-2020-9054) in Zyxel NAS devices to take control of them and add them to the botnet.
  • In February, two new variants of Mirai, dubbed SORA and UNSTABLE, were identified, that were abusing a vulnerability (CVE-2020-6756) in the Rasilient video surveillance storage device.

What makes Mirai invincible?

In August 2016, the source code for Mirai was published on Hack Forums as open-source, which was picked up by several threat actors. Also, due to rapid growth in the IoT ecosystem, threats actors are getting regular batches of new vulnerable devices, allowing threat actors to easily restructure and reuse the malware code for new targets.

Can it be stopped?

In June, a new cybersecurity standard for IoT Devices was released by ETSI, which will help prevent such attacks against IoT devices in the future.