Go to listing page

Alert! Mirai Botnet is Active and So are its Dozen Other Variants

Alert! Mirai Botnet is Active and So are its Dozen Other Variants
Mirai botnet has been a constant IoT security threat since it first emerged in 2016. In a recent report by McAfee, the malware and its several variants have been attributed to the surge in attacks on IoT (55%) and Linux (38%) systems in the first quarter of 2021.  

Sadly, variants continue to grow

  • Ever since the release of the source code by the authors of Mirai, threat actors have been stirring up a lot of attacks by creating their own flavors of IoT botnet armies.
  • Although new features and exploits have been constantly added by various threat actors, the structure and goal of the campaigns remain the same.

Assessing Mirai’s prominence

  • Fortinet researchers came across many interesting aspects during the course of tracking the activities of IoT botnets.
  • A fresh honeypot system used for the purpose was found receiving around 200 attacks per day, summing to nearly 4,700 attacks in just three weeks.
  • Some 4,000 of those attacks were linked with Mirai variants.
  • Based on the attacks, the top variants used were Hajime, SYLVEON, Kyton, PEDO, DNXFCOW, SORA, Cult, BOTNET, OWARI, and Ecchi.
  • Aside from the honeypot, the researchers also found MANGA, a variant of Mirai, actively updating exploit vectors to its list.
  • Some of the exploits are for the vulnerabilities found in OptiLink ONT1GEW GPON, Cisco HyperFlex, and Tenda router.

That’s not all

  • According to AT&T Alien Labs, there has been a spike in activity from another Mirai variant, Moobot.
  • It turns out that it was being pushed out from a new cyber-underground malware domain, known as Cyberium, which has been anchoring a large amount of Mirai variant activity.
  • Researchers observed that Moobot is actively scanning for a remote code execution vulnerability in Tenda routers.
  • One of the main characteristics of Moobot is a hardcoded string that is used multiple times in code, such as generating the process name to be used while execution.

Conclusion

As the number of smart devices continues to explode, IoT will remain a hotbed for malware operations in the future. Apparently, the active state of Mirai variants in terms of attacks and developments makes it more concerning. It also once again highlights the need for IoT device manufacturers to patch vulnerabilities in a timely manner and follow proper IoT security standards.

Cyware Publisher

Publisher

Cyware