Mirai botnet has already created enough disruption at high-profile organizations and with its new version, we can expect it to exploit the already vulnerable IoT devices with a lot more zeal and intensity.
“The attack attempted to infect routers with a malware, but failed, which caused crashes or restrictions for 4 to 5 percent of all routers.”
The reason why the company was targeted was that it had vulnerable internet routers. Due to Mirai botnet, nearly one million Deutsche Telekom customers experienced internet connectivity issues.
The news was reported on Monday and it was revealed that the company immediately identified Mirai as the main source of the attack. It was also reported that Mirai malware managed to infect over 500,000 IoT devices including routers, CCTV cameras and DVRs.
Now with the new and improved version of the malware, security researcher Johannes Ullrich from SANS technology Institute states that the number of infected devices will increase at a rapid pace.
Ullrich observed the infections in IoT devices and came to the conclusion that the malware has been upgraded especially to exploit a specific vulnerability in internet routers manufactured by Zyxel.
The purpose behind creating Mirai malware was to exploit internet connected devices that operated with default logins and passwords. The attackers had to just scan the web for such and then used their database of over 60 password combinations to crack the device.
However, research reveals that Mirai’s new version is capable of targeting a Simple Object Access Protocol (SOAP) service flaw. This service is embedded in routers from Zyxel. Currently, the actual number of affected devices is not yet clear. According to Deutsche Telekom’s analysis, around 900,000 of its total 20 million customers experienced internet service issues due to the attack.
Contrary to the telecom firm’s statement, Ullrich states that Mirai’s new version successfully ensnared some of the IoTs. In fact, Ullrich also established a web server to serve as a honeypot, which could be lured in the attack. He mentioned that once the malware infects a device, it looks for other vulnerable devices instead of keeping exploiting it. By Monday morning, Ullrich was able to identify 100,000 unique IP addresses that attempted to infect the honeypot that he created.
Research has also identified that Mirai doesn’t simply infect the devices but creates a botnet of these devices, which can be understood as creating an army of computers that can be completely controlled by the attacker. The army will then be used to launch large-scale DDoS attacks.
As of now, Mirai’s new version hasn’t launched any DDoS attack and the customers of Deutsche Telekom faced connectivity issues only. The telecom firm has issued an advisory to its customers for eliminating the infection.
Ullrich believes that this new version of the malware has infected internet routers of other internet service providers and enterprises as well. The problem is that others probably aren’t aware of the issue. Ullrich also stated that possibly 1 to 2 million routers might be infected.
Mirai-related attack against Zyxel & rebadged routers. An exploit, not default creds. The shape of things to come? https://t.co/iWGsy3y6KP
— Ken Munro (@TheKenMunroShow) November 28, 2016
Ullrich is also urging users to block port 7547 and install patches to secure their devices from infection.