Mirai-based botnet updates ‘arsenal of exploits’ on routers, IoT devices

Jason Macuray
A Mirai-based malware botnet has expanded its payload arsenal to aggressively target routers and other internet-facing devices, researchers have discovered.

A Mirai-based malware botnet has expanded its payload arsenal to aggressively target routers and other internet-facing devices, researchers have discovered.

The variant, called IZ1H9, was observed by researchers at Fortinet exploiting vulnerabilities in products from nine different brands, including D-Link, Netis, Sunhillo, Geutebruck, Yealink, Zyxel, TP-Link, Korenix and TOTOLINK. “Peak exploitation” of the vulnerabilities occurred on September 6, the researchers believe.

“This highlights the campaign’s capacity to infect vulnerable devices and dramatically expand its botnet through the swift utilization of recently released exploit code, which encompasses numerous CVEs,” they wrote.

The IZ1H9 variant was discovered in August 2018, two years after Mirai’s original botnet was first seen infecting Linux-based devices. Mirai has been used in some of the most disruptive distributed denial-of-service (DDoS) attacks recorded, including a 2016 incident that brought down websites including Twitter, Reddit and Netflix.

Callie Guenther, senior manager of cyber threat research at the cybersecurity company Critical Start, said the scope of the targeted devices raises alarms.

“Given that IZ1H9 is targeting a multitude of devices and vulnerabilities, it has the potential to amass a vast botnet,” she said. “This means that its DDoS attacks could be especially potent, capable of taking down high-profile websites or critical online services.”

DDoS attacks work by overwhelming targeted websites with junk traffic, often coming from infected devices that together form a botnet.

As recent geopolitical events have shown, though DDoS attacks seldom inflict lasting damage they do have the potential to make difficult scenarios even worse for victims. After Hamas’ surprise attack on Israel on Saturday, for example, hacktivists launched cyberattacks on entities connected to both sides of the war.

“At a time of great geopolitical unrest, increased DDoS attacks are likely,” said John Bambenek, Principal Threat Hunter at the IT management company Netenrich. “With these changes, more vulnerable devices are out there and this is purely a math game. More nodes in the botnet mean more attacks and more outages.”

On Tuesday, Amazon, Google and Cloudflare said they detected the largest DDoS attacks on record due to a newly discovered vulnerability, which they called an HTTP/2 Rapid Reset Attack.

Additional reporting by Jonathan Greig.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

James Reddick has worked as a journalist around the world, including in Lebanon and in Cambodia, where he was Deputy Managing Editor of The Phnom Penh Post. He is also a radio and podcast producer for outlets like Snap Judgment.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Social media platforms foment disinformation about war in Israel

Next Post

European Commission demands X account for disinformation in wake of Hamas attacks

Related Posts

New Spectre-Style ‘Pathfinder’ Attack Targets Intel CPU, Leak Encryption Keys and Data

Researchers have discovered two novel attack methods targeting high-performance Intel CPUs that could be exploited to stage a key recovery attack against the Advanced Encryption Standard (AES) algorithm. The techniques have been collectively dubbed Pathfinder by a group of academics from the University of California San Diego, Purdue University, UNC Chapel
Omega Balla
Read More