Mirai is the definitive trendsetter botnet. It sprang into the internet in 2016 with two of the biggest DDoS attacks yet recorded. The sheer size of these attacks was a contrast to the insignificant devices that pulled it off – an army of hijacked surveillance cameras and other IoT devices. Most of these devices were insecure by definition, were not password protected, or were installed with the default settings left intact. With the authorities on their tails, the Mirai authors released their source code to the public, perhaps hoping that a barrage of copy-cat attacks would make it easier to hide. That strategy didn’t work, but it did give other hackers a starting point for coding their own new and improved botnet building malware.
As shown by Unit 42, the two noted newcomer devices to the Mirai exploit kit are the WePresent WiPG-1000 Wireless Presentation system and the LG Supersign TV. There is a clear commercial logic to their inclusion. After all, if a Mirai botnet is going to pick an army of devices to knock others off the internet with a DDoS attack – they might as well grab the devices with more substantial bandwidth behind them than the average toaster. While these devices might be also protected more than that smart fitness device, the benefits from misusing that bandwidth could more than make up the difference.
Traditionally, exploit kits are thought of as Windows-specific shopping lists for the bad guys. They shop around, looking for vulnerable devices and go into action when they see a whole. And as the latest Chrome/Windows zero-day showed, sometimes they can combine exploits for even greater effectiveness. Armed with 27 exploits, this latest Mirai variant is taking that “strength in numbers” perspective. Users – whether businesses or individuals – leaving open posts exposed and not patching devices regularly make it an even easier task.
The name of my router manufacturer was mentioned on the list of exploits and vulnerabilities – but I’m still not sure if my precise device model was there. After all, that manufacturer makes lots of well-known devices. This ambiguity over device security is a significant security risk all by itself. In my specific case, router WiFi settings are managed on a different computer. It was about about a year ago when I checked to see if the device was fully patched. Finally, the router is safely guarded by an array of spiders and I don’t want to disturb them. I suspect that many people have a similar connection to the care and nurturing of their router.
The same security recommendations apply to IoT devices at home or in the office – it’s just that the consequences might be more catastrophic for a firm: