A variant of the Mirai malware pummeled a U.S. college last month with a marathon 54-hour long attack. Researchers say this latest Mirai variant is a more potent version of the notorious Mirai malware that made headlines in October, targeting DNS provider Dyn and the Krebs on Security website.
The IoT botnet behind the DDoS attacks is flooding its targets with HTTP traffic in application layer attacks, according to a technical overview by security firm Imperva posted on Wednesday.
Researchers say attackers are leveraging 9,793 CCTV cameras, DVRs and routers, and are exploiting the same vulnerabilities as the original Mirai malware. “We are seeing the same attack patterns and the same vulnerabilities being exploited; right down to the telnet ports as with Mirai last year,” said Dima Berkerman, security research specialist at Imperva in an interview with Threatpost.
According to Berkerman the multi-day DDoS attack maintained a traffic flow of 30,000 requests per second, peaking at 37,000. “This is the most the most we’ve seen out of any Mirai botnet,” Berkerman said.
The Mirai malware, spotted in October, continuously scans the internet looking for connected devices such as routers, IP-connected cameras, DVRs and more. The malware exploits those devices that rely on default, weak, or hard-coded credentials, and forces them to join botnets used in DDoS attacks.
According to Berkerman, who analyzed the attack against the unnamed U.S. college, the new variant is nearly identical to the original except for the fact it contains 30 user-agent alternatives compared to just five used by the previous version. “The larger the range of user agents, the more this version of Mirai is going to be able to circumvent mitigation efforts,” he said.
Researchers say of the 9,793 IPs worldwide controlled by attackers 18 percent are located in the U.S., 11 percent in Israel and another 11 percent in Taiwan.
“Looking at the bigger picture, this variant of Mirai might be a symptom of the increased application layer DDoS attack activity we saw in the second half of 2016,” said Bekerman. “That said, with over 90 percent of all application layer assaults lasting under six hours, an attack of this duration stands in a league of its own.”
He noted, while the original Mirai malware launched flood-based attacks at Layer 2 and 3, the most recent attacks were HTTP-based attacks at Layer 7.
Imperva said 56 percent of all IPs used in the February attack belonged to DVRs manufactured by one vendor. Berkerman declined to identify the DVR maker, but said that each of the infected devices were used in conjunction with CCTV cameras.
“While we don’t know for sure, open telnet (23) ports and TR-069 (7547) ports on these devices might indicate that they were exploited by known vulnerabilities,” Bekerman said.
One of the router vulnerabilities (CVE-2014-9222) being exploited by the latest version of the Mirai malware was identified in previous Mirai attacks as taking advantage of the router’s TR-064 interface which is accessible via the internet-facing WAN port. That allows remote management with no authentication. The other router vulnerability (CVE-2017-5521) only required default credentials.
Flaws found in the CCTV and DVR hardware allowed a default Linux telnet credential to be used. Mitre’s Common Vulnerabilities and Exposures identifiers for those vulnerabilities incude; CVE-1999-0502, CVE-2016-6535, CVE-2016-1000245 and CVE-2016-1000246.
Imperva said each of these CVEs listed were also exploited by earlier versions of the Mirai malware.