Cybercriminals have made quite a profession on DDoS (denial-of-service) attacks and in the modified Mirai botnet, they have found a specific weakness in certain routers that could five million around the world in a vulnerable position. When a DDoS attack occurs, it can take entire networks and systems to the brink of inaccessibility, and it doesn’t matter how large or small the network is.
The original version of Mirai botnet code used default or unsecure administrator login credentials, propagating over Telnet in loT devices. What makes the new version of Mirai more deadly is that it has the additional ability to scan for a flaw in the SOAP (Simple Object Access Protocol) service that is embedded in a variety of routers; and many are made by the Zyxel Company.
The very nature of the Mirai botnet was exemplified when the original version was used in previous DDoS attacks and took down the DNS servers that impacted high end consumer websites such as Twitter, Amazon, Spotify, PayPal, Netflix and Reddit.
According to security experts, Flashpoint, “The new Mirai variant exploits these provisioning networks further to freely spread within the modem or router’s network ‘segment,’ which can vary wildly and amount to the size of street, municipality, or entire country.” To clarify how serious this is, Flashpoint continues by stating: “The new Mirai variant utilizes the TR-064 and TR-069 protocols over port 7547 and exploits a known vulnerability to gain control of the device. The protocol TR-069 runs the ‘provisioning networks’ used by ISPs and telecoms to remotely manage modems and routers in their consumer networks.” This means that the modified Morai botnet can literally take over the routers and modems that control networks accessed by the average person.
This upgraded version of Mirai was already blamed for causing disruptions of service for almost one million customers of Germany’s Deutsche Telekom. However, researchers are concerned as they have found it spreading to routers spread out all over the globe, with those in the U.K. and Brazil being those that are most heavily impacted. Deutsche Telekom has pushed out firmware updates for their German routers.
DDoS attacks are always about ‘control’ and the variant of the Mirai has been assessed by Flashpoint as an attempt in expansion for their quantity of devices that are infected in their botnet. It is using the same ‘command and control servers’ of the previous version which strongly indicates that it is the same group involved in the new version.
The core problem is the vulnerability of the embedded devices. They typically run without any security protocols and since it is connected to the internet it can not only be infected with a virus but is one that is outside of the standard DDoS attack styles. In this way, an attack can occur and no one would be aware of it, let alone that they had a virus on the device.
Experts have indicated that due to the number of unprotected devices, this version of Mirai presents a major issue. The botnet owners can add millions of unprotected loT internet connected devices as part of their network at incredibly fast speeds. The sheer quantity of unprotected routers will require detailed changes at unprecedented levels.
“The potential for inclusion of the Mirai botnet can occur within any organization that either has or works with routers. Da Vinci Forensics can work within the community as well as companies to analyze the potential for attack, offer recommendations for changes to assist in protection and monitor the status.”
– Nick Brandt, CTO DaVinci Forensics