The infamous Mirai internet of things botnet is spiking in growth while changing up its tactics, techniques and procedures so far in 2019, to target more and more enterprise-level hardware, It’s a state of affairs that presents a greater concern than ever before given the ongong migration to the cloud era, researchers said.
According to researchers at IBM X-Force, Mirai is now made up of several different related botnets, which sometimes compete with each other. Since bursting on the scene with a massive DDoS takedown of DNS provider Dyn – which impacted vast swathes of the internet including major sites like Twitter, Spotify and GitHub – the botnet has proliferated into at least 63 Mirai variants, the firm said.
“Mirai malware and its variants are evolving with their operator’s intents, delivering a variety of exploits and increasingly aimed against enterprise environments,” said researchers at IBM X-Force, in an analysis posted on Thursday. “As IoT devices become more common among households and large organizations, Mirai and its variants will continue to evolve to adapt to the changing environments and targets of its choice.”
That adaptation includes matching different kinds of payloads to a wider set of victims and various types of hardware. For instance, in March, IBM X-Force researchers discovered new Mirai samples aimed at enterprise IoT devices that were dropping cryptocurrency miners and new types of backdoors onto affected devices.
“Cryptominers can be very effective at monetizing access as they leverage the computing power of infected IoT devices to generate money for the bad guys, even at the cost of damaging overheating devices that have little computing power compared to actual central processing unit and graphics processing unit resources,” explained the researchers.
Researchers also spotted threat actors dropping a PHP-based reverse backdoor shell called C99Shell, which showed a new level of sophistication by using steganography to trigger the download of subsequent payloads.
“The expansion of the Mirai family of payloads beyond simple reverse shells is worrisome because it allows threat actors to quickly download any number of malicious files onto a large number of IoT devices,” the researchers noted.
In terms of enterprise targets, IBM X-Force also found that more than 80 percent of all observed botnet activity this year has targeted the media/information services and insurance industries.
“These industries could be seeing higher focus from IoT botnets because they have a larger overall footprint or because they may have a larger geographic distribution, significant IoT usage or propensity for early technology adoption,” the firm said.
The move to having an enterprise focus is also concerning given that IoT devices connected to cloud architecture could allow Mirai adversaries to gain access to cloud servers, the researchers noted.
“They could infect a server with additional malware dropped by Mirai or expose all IoT devices connected to the server to further compromise,” according to the analysis. “As organizations increasingly adopt cloud architecture to scale efficiency and productivity, disruption to a cloud environment could be catastrophic.”
A Growing Threat
Overall, IBM X-Force telemetry showed that Mirai activity nearly doubled between the first quarter of 2018 and the first quarter of 2019.
“Compared to other botnets that target IoT devices, Mirai and variants of Mirai are by far the most popular malware to hit enterprise networks in 2019 to date,” according to the analysis. “In fact, Mirai variants were observed more than twice as frequently as the next most popular Mirai-like botnet, Gafgyt. The prevalence of Mirai underscores the utility threat actors perceive it to have and their ability to leverage its capabilities.”
The IoT landscape is a rich hunting ground for botherders looking for devices to add to their networks. The install base of connected devices is expected to reach more than 31 billion devices by 2020, according to Business Insider Intelligence. Many of them will likely be left with default passwords, or will be installed and never updated or patched, researchers said.
“Many IoT devices are treated as fire-and-forget: Once initially set up, IoT devices are not monitored or checked for abnormal behavior, meaning an infected device could be operating for a significant period of time before issues are ever detected,” according to IBM X-Force.
Interested in more on patch management? Don’t miss our free live Threatpost webinar, “Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Register and Learn More