Mirai splinter botnets dominate IoT attack scene

One of the most well-known botnets ever to exist continues to plague PCs and connected devices.
Written by Charlie Osborne, Contributing Writer

Botnets built from the Mirai codebase continue to wreak havoc in the technology arena, with cyberattackers taking advantage of lax Internet of Things (IoT) security in widespread attacks. 

Computers and other connected devices, including IoT and NAS storage, are compromised through weak credentials, vulnerabilities, exploit kits, and other security weaknesses. 

These systems join a network of slave devices that can be commanded to perform malicious activities.

Attack types commonly associated with botnets are the launch of Distributed Denial-of-Service (DDoS) attacks, brute-force attacks leading to information theft and ransomware deployment, and the covert installation of cryptocurrency mining software on vulnerable, Internet-facing servers. 

The most well-known, perhaps, is Mirai, which made its debut with catastrophic DDoS attacks in 2016 against DNS provider Dyn and the website of cybersecurity expert & reporter Brian Krebs

Mirai's source code was then released online, opening up an avenue for variants to be created including Okiru, Satori, and Masuta. 

Despite the age of the original botnet, the code underpinning the network and the use of its code in mutated versions means that Mirai is still a risk to organizations today. 

On Tuesday, Intel 471 published a new report on Mirai's fracturing into new forms and a reported surge in attacks during 2020 and 2021 against IoT devices using these botnet variations. 

"Threat actors seized the opportunity to not only create large botnets, but also steal confidential data from IoT devices linked to compromised organizations, and potentially sell it on underground marketplaces," the researchers say.

As IoT device numbers are expected to reach approximately 30.9 billion by 2025, the team expects the threat – and overall power – of botnets to only continue to expand. 

At present, Gafgyt and Mirai, alongside multiple botnets based on Mirai code such as BotenaGo, Echobot, Loli, Moonet, and Mozi, are being used to target devices primarily based in Europe and North America. 

Threat actors are commonly using the below vulnerabilities in exploit kits to compromise IoT devices and increase the power of their networks:

  • CVE-2018-4068, CVE-2018-4070 and CVE-2018-4071: Information leaks in Sierra Wireless AirLink (ES450 FW version 4.9.3)
  • CVE-2019-12258, CVE-2019-12259, CVE-2019-12262 and CVE-2019-12264: DoS vulnerabilities in the Wind River Systems VxWorks RTOS
  • CVE-2019-12255, CVE-2019-12260, CVE-2019-12261 and CVE-2019-12263: Memory corruption flaws in the VxWorks RTOS
  • CVE-2021-28372: An authentication bypass bug in the ThroughTek Kalay P2P SDK (versions 3.1.5 and earlier)
  • CVE-2021-31251: An improper authentication issue in Chiyu Technology firmware

"The cybercriminal underground will continue to build off of Mirai, targeting every piece of equipment it can as the IoT market continues to boom," the cybersecurity firm says.

Intel 471 recommends that organizations implement IoT device monitoring processes, perform regular security audits, routinely change up credentials and keys, and maintain regular patch application cycles. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards