The Evolving Threat of The Mirai Botnet

The Mirai botnet that once only targeted home based IoT devices is now a threat to the enterprise. This new strain of the malware is targeting routers, IP cameras, and network storage devices. According to Palo Alto’s Unit 42 research, “This development indicates to us a potential shift to using Mirai to target enterprises.”

The targeting of enterprise devices will allow Mirai to have larger bandwidth than it previously had before from consumer devices. This will enable it to launch more effective DDoS attacks, like the ones it became infamous for in 2016. The DDoS attacks in 2016 were so effective that at one point an estimated 25% of the Internet was disconnected and in another case the entire country of Liberia lost Internet connectivity.

The original source code for Mirai was posted to GitHub and has been forked into new variants nearly 3,000 times. The evolving Mirai variants make use of 27 different exploits across several CPU platforms and operating systems. This recent strain has also increased the amount of exploits it has at its disposal by almost 70%. Still, much of Mirai’s success is owed to simple brute forcing and use of unchanged default credentials as it’s entry point.

Enterprises are at risk not only from devices they willingly add to the network but are also at the mercy of employees and threat actors alike. Without extensive policies in place to restrict access to known devices, employees are able to add wireless and hard wired devices to the network without any assurance of a clean bill of health.

A common practice among Critical Path Security’s Red Team during an engagement is to breach physical security and place small IoT devices such as Raspberry Pi’s on open network ports found in common areas like conference or break rooms. Some of our devices have gone undetected for months, and if they were malicious could have caused millions of dollars in damages.

The good news is that with some planning any organization can design and execute a security plan that will exponentially increase prevention and detection of threats like Mirai. Critical Path Security recommends starting with our online assessment tool to get an understanding of the organizations current adherence to critical security controls.

A comprehensive inventory of these assets should be done immediately and regularly as part of standard operations. Check every new and existing device for default passwords and change them to a secure password. These devices should be patched automatically or on a schedule; if they can’t be patched or do not support a critical business need they should be removed from the network. Following security best practices are the best defense against Mirai.  

For additional peace of mind, Critical Path Security offers a Managed Security Service powered by the Léargas Platform which monitors network traffic between every device on the network as well as traffic coming in and going out. Regular review of all traffic can identify new devices and expose indicators of threat such as lateral movement or data exfiltration that could otherwise go unseen.

For more information about Critical Path Security, our Red Team or MSOC Services or to take our online assessment please contact us.  

Leave a Reply