New Mirai malware variant targets signage TVs and presentation systems
Security researchers have spotted a new variant of the Mirai IoT malware in the wild targeting two new classes of devices –smart signage TVs and wireless presentation systems.
This new strain is being used by a new IoT botnet that security researchers from Palo Alto Networks have spotted earlier this year.
The botnet’s author(s) appears to have invested quite a lot of their time in upgrading older versions of the Mirai malware with new exploits.
Palo Alto Networks researchers say this new Mirai botnet uses 27 exploits, 11 of which are new to Mirai altogether, to break into smart IoT devices and networking equipment.
Furthermore, the botnet operator has also expanded Mirai’s built-in list of default credentials, that the malware is using to break into devices that use default passwords. Four new username and password combos have been added to Mirai’s considerable list of default creds, researchers said in a report published earlier today.
The purpose and modus operandi of this new Mirai botnet are the same as all the previous botnets. Infected devices scan the internet for other IoT devices with exposed Telnet ports and use the default credentials (from their internal lists) to break in and take over these new devices.
The infected bots also scan the internet for specific device types and then attempt to use one of the 27 exploits to take over unpatched systems.
Typically, Mirai botnets have targeted routers, modems, security cameras, and DVRs/NVRs. In some very rare occasions, Mirai malware has ended up on smart TVs, smartphones, and some enterprise Linux and Apache Struts servers. However, these are rare events.
However, according to Palo Alto Networks researchers, this new Mirai botnet they spotted this year is intentionally targeting two new device types using specially crafted exploits, namely LG Supersign signage TVs and WePresent WiPG-1000 wireless presentation systems.
Both the exploits they’re using have been previously available online for months[1, 2], but this is the first time these exploits have been weaponized.
Palo Alto Networks’ report detailing this new botnet comes just two days after security researcher Troy Mursch of Bad Packets highlighted a noticeable uptick in Mirai activity.
Mirai-like detections continue an upward trend over the last 60 days. Largest spike of activity happened in the last two weeks. @circl_lu has shared a similar observation.
Will botnets infected with Mirai-like #malware ever go away? pic.twitter.com/MVMBHNa5lV
— Bad Packets Report (@bad_packets) March 16, 2019
Mirai-like #malware infections last 365 days by port targeted: https://t.co/jJ77DcDOO3
Top 10 ports/services targeted:
23/tcp – Telnet
5555/tcp – ADB
2323/tcp – Telnet
80/tcp – HTTP
22/tcp – SSH
8080/tcp – HTTP
81/tcp – HTTP
37215/tcp – Huawei
8000/tcp – HTTP
8081/tcp – HTTP pic.twitter.com/kRhegcl8na— Bad Packets Report (@bad_packets) March 17, 2019
Related malware and cybercrime coverage:
READ MORE HERE