IoT attacks increase as the Mirai botnet evolves

With the Internet of Things (IoT) industry quickly developing new gadgets, it’s no surprise that hackers are having a field day. As more connected devices come on the market, the more chances they will be probed for their vulnerabilities. And that’s exactly what threat researchers have detected. Since the first half of 2019, cyberthreats on IoT devices have been on the rise with a significant increase in attacks on network-connected smart devices and process controllers. One particularly ubiquitous malware that continues to attack IoT devices is the Mirai botnet and its many variants.

What is the Mirai botnet?

Mirai is a type of malware that infects smart devices run on the ARC processor. It attacks these devices, turning them into a network of remotely controlled bots (called a botnet) that is often then used to launch DDos (distributed denial-of-service) attacks. After an infamous attack in 2016, the authors of the Mirai malware released the source code to the public and since then it’s continued to evolve. It’s been replicated and modified by experienced cybercriminals and unskilled threat actors alike, making it harder to trace and take down.

How does Mirai work?

The Miria botnet is simple and efficient. Mirai scans the internet for IoT devices that run on the ARC processor, which runs a stripped-down version of the Linux operating system. These devices can be anything from baby monitors, network routers, medical devices, home appliances, smoke detectors, CC cameras and even vehicles. If it finds an open Telenet port where the default username and password combination has not been changed, Mirai will try to infect the device by brute forcing the logins using different combinations of default credentials.

Once it has successfully logged in, Mira sends the victim IP and related credentials to a reporting server. After it’s assessed and gathered the information it needs about the environment it’s running in, it will use this information to download second stage payloads and device specific malware.

Avira honeypot captures Mirai Corona

With more people at home during the COVID-19 pandemic, it seems even hackers had more time on their hands to get creative. And apparently, they’re fans of irony. The Avira IoT honeypot captured samples of modified variants of Mirai using “CORONA” as part of their command string code and thus named it “Mirai Corona”.  The variant had a few notable features including a different control flow obfuscation and custom encryption and decryption techniques. A detailed analysis of the Avira Protection Labs findings can be read here. 

What can be done to protect against Mirai malware? 

The industry needs to start adopting best practices to improve the security of connected devices. For starters they could do away with default credentials. Another big help to protect against malware attacks on IoT devices would be to implement regular, automatic patches as users have proven they are not taking care to do this manually. Whatever the steps, the responsibility to manufacture and provide safe smart devices should ultimately be in the hands of IoT vendors and not the end-users.