Mirai still threatens IoT ecosystem

January 26, 2022

Botnets built from the Mirai codebase continue to wreak havoc in the tech arena, with cyberattacks taking advantage of the lax Internet of Things (IoT) security. The Mirai malware, known since 2016 when it first made its appearance in a distributed denial of service (DDoS) attack on the website of well-known security expert journalist Brian Krebs, is still active. And, to use a term currently in vogue, it has mutated, giving rise to variants such as Okiru, Satori, Masuta, and PureMasuta.

All of these variants have the same goal: infecting hardware, software, and communication channels associated with the Internet of Things (IoT). According to an analysis by cyber threat intelligence firm Intel471, malicious actors are not only creating large botnets using it but also stealing sensitive data from IoT devices to sell them in underground marketplaces. These actors, whose targets are primarily in Europe and North America, are also selling access to these IoT botnets from Mirai code, forming their own ecosystem.

In 2020 and 2021, Intel471 observed an increase in attacks on IoT devices. Many Mirai-derived botnets, such as BotenaGo, Echobot, Gafgyt, Loli, Moonet, Mozi, and Zeroshell, have been active since the start of the COVID-19 pandemic in early 2020 and have continued to evolve throughout 2021. Citing figures, the FortiGuard Labs Global Threat Landscape report highlights that the percentage of organizations that have detected botnet activity has jumped from 35% in early 2021 to 51% by the middle of last year. And as the total number of connected IoT devices worldwide is expected to grow year-on-year, the attack surface for these botnets will increase proportionally – and with it, the risks of intrusion.

To combat pests like Mirai, Intel 471 recommends implementing processes to monitor IoT devices, performing cybersecurity audits frequently, routinely changing credentials and keys, and maintaining patching cycles.

Growing without security

Increasingly, vendors of various classes of IoT devices are adding online functionality that, when not properly managed and updated, can create vulnerable points and consequently open doors for attackers.

Just to name one area of activity, in healthcare environments, 53% of connected medical instruments and IoT devices have critical vulnerabilities, according to a report by Cynerio. In this study, data from more than 10 million IoT and IoMT devices in more than 300 hospitals and healthcare facilities around the world was evaluated.

The infusion pump is the most common type of connected device in hospitals, being able to remotely connect to electronic medical records, identify the correct dosage of medication to be delivered to the patient. Therefore, it is also the device most likely to suffer attacks when vulnerable. 

Vulnerabilities in IoT devices – and therefore botnet attacks – can be recorded in various segments beyond the medical environment, as they are often found in operating systems widely used on the Internet of Things. For example, the class of malware targeting Linux – one of the main open-source systems used by IoT devices – reached a new record high in 2021, according to a report by Crowdstrike. The growth in attacks was 35% in 2021 compared to 2020.

This escalation in attacks targeting the Internet of Things – and, in parallel, increasing regulations to stop threats to businesses and nations – is expected to further drive the global IoT security market. The global IoT security market is expected to show a compound annual growth rate of 26.7% between 2020 and 2028, reaching a value of US$88 billion by the end of the period, according to an analysis by Emergen Research.

Finally, remember journalist Brian Krebs, victim of the debut Mirai malware? In September 2021, his website was again hit by a DDoS attack, much larger than the 2016 Mirai version that kept KrebsOnSecurity offline for almost four days. The 2021 invasion appears to have been carried out almost exclusively by a large botnet composed of hacked IoT devices. Moral of the story: keep an eye out, your IoT device could be the newest member of a cybergang.

How to protect yourself from Mirai

Mirai, like other botnets, uses known exploits to attack devices and compromise them. It also tries to use known default login credentials to work on the device and take it over. So its three best lines of protection are straightforward.

Always update the firmware (and software) of anything you have in your home or workplace that can connect to the internet. Hacking is a game of cat and mouse, and as soon as a researcher discovers a new exploit, patches follow to fix the problem. Botnets like this thrive on unpatched devices, and this Mirai variant is no different. 

Change the administrator credentials of your devices (username and password) as soon as possible. For routers, you can do this from your router’s web interface or from the mobile app (if any). For other devices where you log in with the default username or password, refer to the device’s manual.

If you can log in using admin, password or a blank field, you will need to change this. Be sure to change the default credentials each time you set up a new device. If you have already configured devices and have not changed the password, do so now. This new variant of Mirai targets new combinations of default usernames and passwords.

If your device manufacturer has stopped releasing new firmware updates or has scrambled the administrator credentials and you cannot change them, consider replacing the device.

The best way to check is to start at the manufacturer’s website. Find the support page for your device and look for any notices about firmware updates. Check when the last one was released. If it’s been years since a firmware update, the manufacturer probably no longer supports the device.

You can also find instructions for changing the admin credentials on the device manufacturer’s support site. If you can’t find recent firmware updates or a method to change the device’s password, it’s probably time to replace the device. You don’t want to leave something permanently vulnerable connected to your network, do you?