Security intelligence vendor Flashpoint has warned that 5 million devices are vulnerable to a new variant of the Mirai malware. Mirai is used to takeover devices rather than computers and use them as a botnet. It looks for Internet connected devices using the factory set default security credentials. It also targets devices where the manufacturer has hard-coded usernames and passwords that cannot be changed.
Mirai already a proven threat
Mirai is already credited with the attack against KrebsOnSecurity, OVH and ISP Dyn. That attack set new records for the amount of data targeted at an organisation to knock it off the Internet. Last month the source code was released creating a surge of interest among hackers and botnet owners. The result is at least one new variant of Mirai that is targeting devices around the world.
This latest version of the Mirai malware was used in the attack on Deutsche Telekom a few days ago. This resulted in over 900,000 users being knocked offline when their routers were infected. Ironically, security experts believe that was not the intention. The plan was to take over the devices and use them in a very large botnet. However, due to a flaw in the code it disconnected the routers from the Internet.
Mirai spreads by using the TCP/23 (Telnet) and TCP/2323 ports on devices. These allow remote access into the devices for management. With that attack vector now identified, Flashpoint says this new variant is being more selective by targeting a known vulnerability in specific devices. It is targeting the TR-064 and TR-069 protocols over port 7547. This port is used by ISPs and service providers to manage modems and routers in their customer networks. What will worry ISPs and service providers is that once Mirai gains access to their customer network it is capable of propagating itself across their entire customer base.
Flashpoint identifies 11 countries and 41 million devices
While the recent outage suffered by Deutsche Telekom has made headlines, Flashpoint says this is the tip of an iceberg. It claims that devices with the same vulnerability exist in 11 countries. This includes Germany, UK, Brazil, Turkey, Iran, Chile, Ireland, Thailand, Australia, Argentine and Italy. It also claims that the number of devices where port 7547 is used for management is as high as 41 million. On top of this it claims a further 5 million devices allow non-IPS access.
A highly sophisticated attack
Flashpoint says: “..the perpetrators have shown a high degree of skill. Not only were they able to operationalize this exploit shortly after the relevant Metasploit module was released on November 8, they have quickly modified the Mirai source code to serve this new purpose.”
This is not just about the developers. There is a highly sophisticated, resilient, expensive and well-engineered infrastructure supporting Mirai. That infrastructure is so well crafted that it is capable of withstanding attacks by law enforcement and ISPs. By using devices rather than computers it is also difficult to shut the devices down. Without understanding each device in the botnet shutting it down could black out the CCTV protecting large cities or knock large portions of a country offline. In a world that is increasingly dependent on the Internet this is a major risk that few will want to take.
Flashpoint believes that this is evidence that this is a commercial operation. If so, the question is who are the clients? This is a difficult question. It could be government black ops teams looking for a DDoS attack to distract a target. It could equally be a competitor who wants to hire a botnet to attack a company during a major sales or launch event. Irrespective of who the customers are, dismantling such a sophisticated operation will be complex and risky.
There are some serious lessons here for commercial organisations. The way that the hackers have constructed their infrastructure makes them resilient to attack. If large enterprises focused on their infrastructure as well as the hackers behind Mirai then they would have far fewer IT issues.
The threat from Mirai is not going away. If Flashpoint is correct we are only at the start of what could become the largest botnet in the world. This leaves two questions. What will the industry, law enforcement and intelligence agencies do? Who is the next target of this or any other Mirai variant?