A security researcher reportedly discovered a new variant of Mirai (identified by Trend Micro as ELF_MIRAI family) that is quickly spreading. A notable increase in traffic on port 2323 and 23 was observed over the weekend, with around 100 thousand unique scanner IPs coming from Argentina.
Attackers have discovered a large amount of ZyXEL devices using admin/CenturyL1nk and admin/QwestM0dem as default Telnet credentials. These ZyXEL devices are a combination of a DSL modem and router supplied by US-based internet service providers (ISPs) CenturyLink and Qwest. ZyXEL PK5001Z routers possess a hardcoded superuser password (zyad5001) that could be used to elevate a user’s access to root level and install the DDoS malware. According to the researcher, the abuse of admin/CenturyL1nk and admin/QwestM0dem began at around 2017-11-22 11:00 and peaked the following day. About 60 hours ago, big upticks on port 2323 and 23 scan traffic were noticed, and a subsequent investigation points to the new Mirai variant as the cause for the activity. Scanner IPs reportedly came from the network of local ISP Telefonica de Argentina.
In 2016, Mirai gained notoriety after it launched massive and widespread attacks by turning vulnerable connected devices (including routers, CCTV cameras, DVRs, etc.) into weaponized zombies. It made headlines again in February this year after a Windows Trojan was found helping it find potential victims and amplifying its distribution. Variants were used in attacks that affected major sites like Netflix, Reddit, Twitter, and Airbnb, as well as 900,000 home routers from Deutsche Telekom.
Solution and Mitigation
Enterprises that could be affected by Mirai will have to deal with business disruptions, possible monetary loss, and even damaged brand reputations if the threat is not averted. Router providers should make sure that their products are secure enough to withstand attacks. These best practices can mitigate the risks posed by this threat.
In addition, Trend Micro™ Security and Trend Micro Internet Security offer effective protection for this threat, with security features that can detect malware at the endpoint level. To protect IoT devices like home routers, security solutions like Trend Micro™ Home Network Security can check internet traffic between the router and all connected devices. Enterprises can use Trend Micro™ Deep Discovery™ Inspector which is a network appliance that monitors all ports and over 105 different network protocols to discover advanced threats and targeted attacks.