Mirai botnet used to steal confidential data via IoT devices


The notorious Mirai malware serves as a basis for a whole ecosystem of botnets.

Almost six years have passed since the Mirai botnet was discovered in August 2016. However, the malware that allowed some of the largest distributed denial-of-service (DDoS) attacks has mutated.

According to research by Intel 471, a cyber threat intelligence company, Mirai malware has since spurred many different botnets, all with seemingly similar objectives - to steal data using Internet of Things (IoT) devices.

Moreover, threat actors started actively developing and selling access to botnets built from the Mirai codebase, forming a botnet-based ecosystem.

"Cybercriminals' technical skills range, so instead of learning a skill set, they will just ask around to see if someone is willing to team up for a cut of the profit from their schemes," Greg Otto, a researcher at Intel 471, told CyberNews.

Mirai-based threat

ADVERTISEMENT

Several active botnets are derivatives of Mirai, claims the reports' authors. BotenaGo, Echobot, Gafgyt, Loli, Moonet, Mozi, and Zeroshell have all been particularly active since early 2020 when a global pandemic pushed many to work from home.

According to Intel 471, in April 2020, a Russian-speaking threat actor advertised access to the Moobot botnet for targeted DDoS attacks, specifically small office-home office (SOHO) and IoT devices. By October 2021, that actor was also using a different IoT-focused botnet to launch coordinated attacks.

A different Russian-speaking threat actor advertises source code to a different IoT-focused botnet built using chunks of code from Mirai.

As recently as November 2021, threat actors already offered to rent multiple DDoS botnets, allegedly developed by a hacker team the seller was associated with.

"It's a pipeline that shows how the cybercrime underground works together to steal money and data from organizations."

-Greg Otto, a researcher at Intel 471

Researchers noted that threat actors started partnering to deploy proxy malware on IoT devices.

According to Otto, threat actors will often advertise access to a botnet that they developed with their own malware. Other actors use that botnet to deploy different, bespoke malware that can create new attacks or further ones already in action.

"It's a pipeline that shows how the cybercrime underground works together to steal money and data from organizations," Otto explained.

Known vulnerabilities

Botnets with IoT-focused goals have many targets to choose from, as every internet-facing device can, in theory, be infected.

Reports' authors claim that they have observed threat actors using known CVE's that impact IoT devices. For example, CVE-2021-28372, an authentication bypass vulnerability impacting ThroughTek Kalay P2P Software Development Kit (SDK) versions 3.1.5 and earlier.

A complete list of vulnerabilities is included in the report.

Threat actors also offer an increased quantity of buffer overflow and path traversal vulnerabilities that are used to deploy Mirai-based botnets.

What is a DDoS attack

"When discussing how they would like to exploit these vulnerabilities, actors typically listed specific parameters, including the type of exploit, amount of devices online impacted by the exploit, and the location of such devices. The amount of devices usually ranged from 2,000 to 3,000," reads the report.

Since every IoT device is generally unique, claims Otto, mitigation techniques and security measures vary from device to device. However, generic security measures should include:

  • Routinely change default credentials and cryptographic keys
  • Perform security audits
  • Regularly patch and update devices
  • Monitor all devices and apply network segmentation
ADVERTISEMENT

Relentless attackers

2021 has already brought several major DDoS attacks to the table. In November, a multi-vector attack peaked just under 2 Tbps, making it one of the largest ever recorded.

Pundits also talk about a novel Abcbot botnet that exploits cloud-based systems.

Another major botnet, Mēris, marked the return of dangerous botnets recently. In August, Russian tech giant Yandex was hit by the largest DDoS attack in history.

The distributed-denial-of-service (DDoS) attack against Yandex that was carried out from August to September clocked in at a humongous 22 million requests per second (RPS).

Recent reports show that 2021 will be yet another record year for the number of DDoS attacks carried out. Threat actors launched approximately 2.9 million DDoS attacks in the first quarter of 2021, a 31% increase from the same time in 2020.

During DDoS attacks, vast numbers of "bots" attack target computers. Hence, many entities attack a target, explaining the "distributed" part. The bots are infected computers spread across multiple locations. There isn't a single host. You may be hosting a bot right now and not even know it.

When DDoS attackers direct their bots against a specific target, it has some pretty unpleasant effects. Most importantly, a DDoS attack aims to trigger a "denial of service" response for people using the target system. This takes the target network offline.

If you've repeatedly struggled to access a retail website, you may well have encountered a denial of service. And it can take hours or days to recover from.


More from CyberNews:

ADVERTISEMENT

Synthetic ID fraud: who does it hurt the most? - interview

Elderly targeted with malware while young adults receive TikTok scams

Will future hackers target brains instead of networks?

Metamorphosis in the criminal world: why are ransomware gangs switching to DDoS?

Latest in ransomware: new safe haven, old attack leaders

Subscribe to our newsletter