Mirai-based botnet updates ‘arsenal of exploits’ on routers, IoT devices

Jason Macuray
A Mirai-based malware botnet has expanded its payload arsenal to aggressively target routers and other internet-facing devices, researchers have discovered.

A Mirai-based malware botnet has expanded its payload arsenal to aggressively target routers and other internet-facing devices, researchers have discovered.

The variant, called IZ1H9, was observed by researchers at Fortinet exploiting vulnerabilities in products from nine different brands, including D-Link, Netis, Sunhillo, Geutebruck, Yealink, Zyxel, TP-Link, Korenix and TOTOLINK. “Peak exploitation” of the vulnerabilities occurred on September 6, the researchers believe.

“This highlights the campaign’s capacity to infect vulnerable devices and dramatically expand its botnet through the swift utilization of recently released exploit code, which encompasses numerous CVEs,” they wrote.

The IZ1H9 variant was discovered in August 2018, two years after Mirai’s original botnet was first seen infecting Linux-based devices. Mirai has been used in some of the most disruptive distributed denial-of-service (DDoS) attacks recorded, including a 2016 incident that brought down websites including Twitter, Reddit and Netflix.

Callie Guenther, senior manager of cyber threat research at the cybersecurity company Critical Start, said the scope of the targeted devices raises alarms.

“Given that IZ1H9 is targeting a multitude of devices and vulnerabilities, it has the potential to amass a vast botnet,” she said. “This means that its DDoS attacks could be especially potent, capable of taking down high-profile websites or critical online services.”

DDoS attacks work by overwhelming targeted websites with junk traffic, often coming from infected devices that together form a botnet.

As recent geopolitical events have shown, though DDoS attacks seldom inflict lasting damage they do have the potential to make difficult scenarios even worse for victims. After Hamas’ surprise attack on Israel on Saturday, for example, hacktivists launched cyberattacks on entities connected to both sides of the war.

“At a time of great geopolitical unrest, increased DDoS attacks are likely,” said John Bambenek, Principal Threat Hunter at the IT management company Netenrich. “With these changes, more vulnerable devices are out there and this is purely a math game. More nodes in the botnet mean more attacks and more outages.”

On Tuesday, Amazon, Google and Cloudflare said they detected the largest DDoS attacks on record due to a newly discovered vulnerability, which they called an HTTP/2 Rapid Reset Attack.

Additional reporting by Jonathan Greig.

BriefsCybercrimeMalwareTechnology
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

James Reddick has worked as a journalist around the world, including in Lebanon and in Cambodia, where he was Deputy Managing Editor of The Phnom Penh Post. He is also a radio and podcast producer for outlets like Snap Judgment.

 

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Social media platforms foment disinformation about war in Israel

Next Post

European Commission demands X account for disinformation in wake of Hamas attacks

Related Posts

Google Open Sources Magika: AI-Powered File Identification Tool

Google has announced that it's open-sourcing Magika, an artificial intelligence (AI)-powered tool to identify file types, to help defenders accurately detect binary and textual file types. "Magika outperforms conventional file identification methods providing an overall 30% accuracy boost and up to 95% higher precision on traditionally hard to identify, but potentially problematic content
Avatar
Read More

Researchers Uncover How Outlook Vulnerability Could Leak Your NTLM Passwords

A now-patched security flaw in Microsoft Outlook could be exploited by threat actors to access NT LAN Manager (NTLM) v2 hashed passwords when opening a specially crafted file. The issue, tracked as CVE-2023-35636 (CVSS score: 6.5), was addressed by the tech giant as part of its Patch Tuesday updates for December 2023. "In an email attack scenario, an attacker could exploit the
Avatar
Read More