When cybersecurity professionals hear the term “Mirai,” the vast majority will immediately think of the significant distributed denial of service (DDoS) attack that was launched with the malware on October 21, 2016. However, since that incident, Mirai has fractured into several new forms, all with primarily the same goal: to infect applications, communication channels, machines and software related to the Internet of Things.
In 2020 and 2021, Intel 471 observed a surge in Internet of Things (IoT) device attacks. Threat actors seized the opportunity to not only create large botnets, but also steal confidential data from IoT devices linked to compromised organizations, and potentially sell it on underground marketplaces. Our research found these actors typically targeted devices — mainly in Europe and North America — by deploying two kinds of botnet malware: Gafgyt and Mirai. Our research also uncovered that numerous threat actors have developed and are selling access to botnets built from Mirai code bases. These research findings further support that Mirai has been extremely influential in providing source code for IoT-focused botnets.
Given the total number of IoT devices connected worldwide is projected to be about 30.9 billion devices by 2025, the attack surface for these botnets is only going to grow. By understanding how the underground is leveraging the flaws in these devices, proactive measures can be taken to prevent the damage actors could inflict on their organizations through this technology.
The business behind the botnets
Many botnets that are derivatives of Mirai — including BotenaGo, Echobot, Gafgyt, Loli, Moonet, Mozi and Zeroshell — have been active since the start of the COVID-19 pandemic in early 2020 and have continued to evolve throughout 2021. Some of the actions we have observed:
In April 2020, a Russian-speaking threat actor advertised access to the Moobot botnet for targeted DDoS attacks, specifically small office-home office (SOHO) and IoT devices. By October 2021, that actor was also using a different IoT-focused botnet to launch coordinated attacks.
Also in April 2020, a different Russian-speaking actor advertised source code to a different IoT-focused botnet, which looked to be built off chunks of code from Mirai.
In November 2021, another threat actor offered to rent out multiple DDoS botnets, allegedly developed by a hacker team they were associated with.
Additionally, we observed other threat actors demonstrate a willingness to form partnerships in order to deploy proxy malware on IoT devices. In July 2021, one particular actor was looking for partners after claiming to develop new IoT malware that could establish socket secure internet protocol (SOCKS5) proxies, kill other processes and develop honeypots to trap other malware on infected devices.
What exactly is being targeted
Given the breadth of devices that fall under the “Internet of Things” umbrella — smartwatches, driverless vehicles, thermostats, smart TVs, insulin pumps, and pacemakers, to name a few — threat actors have a plethora of targets to direct their attacks against.
We observed several Common Vulnerabilities and Exposures (CVEs) impacting IoT devices that included:
CVE-2018-4068, CVE-2018-4070 and CVE-2018-4071 – Information disclosure vulnerabilities impacting Sierra Wireless AirLink ES450 FW gateway version 4.9.3
CVE-2019-12258, CVE-2019-12259, CVE-2019-12262 and CVE-2019-12264 – DoS vulnerabilities impacting several versions of Wind River Systems’ VxWorks real-time operating system (RTOS).
CVE-2019-12255, CVE-2019-12260, CVE-2019-12261 and CVE-2019-12263 – Memory corruption vulnerabilities impacting several versions of Wind River Systems' VxWorks RTOS.
CVE-2021-28372 – An authentication bypass vulnerability impacting ThroughTek Kalay P2P Software Development Kit (SDK) versions 3.1.5 and earlier.
CVE-2021-31251 – An improper authentication vulnerability impacting multiple firmwares from Chiyu Technology, for which an exploit and walk-through demonstration of an exploit were observed in open sources.
Aside from these vulnerabilities, we also observed threat actors offering an increased quantity of buffer overflow and path traversal vulnerabilities that are used to deploy Mirai-based botnets.
When discussing how they would like to exploit these vulnerabilities, actors typically listed specific parameters, including the type of exploit, amount of devices online impacted by the exploit and the location of such devices. The amount of devices usually ranged from 2,000 to 3,000. Additionally, some threat actors appeared to want proof of concepts (PoCs) or exploits that were not available publicly, likely to maintain a level of exclusivity.
What lies ahead
We assess with a high degree of confidence IoT security will remain of significant importance to organizations moving forward. The tactics, techniques and procedures (TTPs) likely will continue and indicate a resourceful interest and investment in exploring the full potential of this attack method. The cybercriminal underground will continue to build off of Mirai, targeting every piece of equipment it can as the IoT market continues to boom.
To combat the risks this challenging security landscape poses, IoT and business strategies must be complementary and tightly integrated. Intel 471 recommends organizations monitor all IoT devices, apply network sectionalization, perform security audits, regularly implement security patches and updates, and routinely change default credentials and cryptographic keys.
