Botnet rising: Trend Micro detects Mirai-like scanning activity from China

Trend Micro researchers have recently detected a spike in scanning activity similar to that of the infamous Mirai botnet. In October 2016, the Mirai botnet took down a good chunk of the internet by enslaving hundreds of thousands of vulnerable IoT devices and launching a massive DDoS attack on DNS provider Dyn.

The public release of the botnet’s source code shortly after has since served as an inspiration to other attackers who have tweaked its code to create hundreds of new Mirai variants - each capable of ensnaring an expanding array insecure IoT devices to launch cyberattacks.

Between 1:00PM UTC on March 31 to 12:00AM UTC on April 3, Trend Micro’s network monitoring system detected a massive surge of activity from China coming from 3,423 IP addresses of scanners. Scanning activity was particularly heavy in Fujian, Hunan and Shandong, the report noted.

Researchers observed that Brazil seemed to be the target location of the scanning of potentially vulnerable internet-connected devices such as routers and IP cameras.

Similar to the original Mirai’s behaviour, this attack activity looked to infect devices by incessantly scanning the internet for potentially vulnerable devices and using default credentials to hijack them.

In this case, the scanner looked for new default credentials, indicating the attackers are looking for new targets. Some of username-password pairs found were the default settings of telecom home routers in China, Trend Micro researchers said. The scanner was also looking to find similar home routers in Brazil.

Analysis of the scanner’s IP addresses in historical databases found 167 routers, 16 IP cameras and four digital DVRs were involved in the scanning activity to probe for possible targets. Most of the bot routers involved were Broadcom-based, researchers noted.

They just keep coming

Trend Micro’s report comes just months after another Mirai botnet variant was used to launch a series of DDoS attacks on financial institutions in January 2018. These campaigns were powered by at least 13,000 hijacked IoT devices generating traffic volumes of up to 30 Gbps. Recorded Future reported the botnet and malware variant featured characteristics and behaviour akin to the IoTroop or Reaper botnet.

First identified in October 2017, IoTroop shares some of Mirai’s code and also targets poorly protected internet-connected devices such as routers and wireless cameras manufactured by D-Link, Netgear, Avtech, MikroTik, TP-link, Linksys, GoAhead and Synology. However, this botnet does differ from Mirai in exploitation vector by targeting IoT device vulnerabilities, rather than unchanged administrator credentials.

Since the release of the Mirai source code in October 2016, a string of malware variants have cropped up. Just weeks after its release, researchers uncovered a Linux-based botnet targeting weak telnet credentials and communicated with compromised devices over IRC.

In early December 2017, Satori - deemed Mirai’s successor - affected 280,000 IP addresses in just 12 hours by targeting two vulnerabilities in IoT devices - CVE-2017–17215 in Huawei’s Home GateWay routers and CVE-2014-8361 in Realtek’s Universal Plug and Play SOAP interface.

The source code of Satori was also posted online on Pastebin earlier this year, spawning to its own set of variants. In February, FortiGuard Labs discovered another new Mirai variant dubbed OMG that is capable of turning IoT devices into proxy servers for other malicious activities.

“Since the release of the source code of the Mirai botnet, FortiGuard Labs has seen a number of variations and adaptations written by multiple authors entering the IoT threat landscape,” Fortinet researchers said in a report. “These modified Mirai-based bots differ by adding new techniques, in addition to the original telnet brute force login, including the use of exploits and the targeting of more architectures.

“We have also observed that the motivation for many of the modifications to Mirai is to earn more money. Mirai was originally designed for DDoS attack, but later modifications were used to target vulnerable ETH mining rigs to mine cryptocurrency.”

IoT users have been advised to ensure the default account passwords have been changed on their devices, avoid using any easy-to-guess combinations. Make sure you have the latest updates installed and block any potential entry points or ports that are not required for the device to prevent it from being accessed via the internet.