Researchers found a new Mirai variant in the wild targeting smart signage TV and wireless presentation systems commonly used by businesses. Analysis revealed that the variant uses old and new exploits, and that the cybercriminals behind this botnet have also expanded its built-in list of credentials to brute force into internet of things (IoT) devices and networks using default passwords.
The new malware variant (detected by Trend Micro as Backdoor.Linux.MIRAI.VWIPI and Backdoor.Linux.BASHLITE.AME) was detected in early January of 2019 from a compromised website in Colombia tailoring to security and alarm integration, widening the possible impact to small and big businesses alike according to Palo Alto’s report. Out of the 27 exploits that this Mirai variant uses – previously used to target embedded devices such as IP cameras, network storage devices, and routers via Apache Struts – 11 are new to the malware family, and specifically targets WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs.
Much like prior campaigns, the new botnet variant is capable of scanning for exposed Telnet ports and using default access credentials with infected devices. It is also capable of scanning for specific devices and unpatched systems, and using one of the exploits in its list to attack and infect. It uses port 3933 to receive commands from the command and control (C&C) server, such as HTTP Flood DDoS attacks.
Trend Micro also found the last Mirai variant, Yowai, in January, and cybercriminals are expected to continue using and developing Mirai to exploit the increasing number of IoT devices in the market. Given the larger and more damaging effects of malware that infects business systems, IoT device users are advised to immediately change their default credentials to lock out bad actors using this particular method. Systems should be patched immediately using available updates released by legitimate vendors to remove exploitable vulnerabilities.