Devastating Mirai variant is back on the hunt for businesses to infect

Hacker typing on a keyboard
(Image credit: Bigstock)

A new variant of the crushing Mirai botnet, which specifically places enterprises in its crosshairs, has been discovered by security researchers.

Mirai first shook the world in 2016 and became known for being the worst DDoS attack in history.

Three years later, Mirai has returned, according to experts from Unit 42, Palo Alto Networks' security arm. It comes with an enhanced arsenal of features which increase the botnet's attack surface but, most pertinently, it has a revised attack strategy.

Mirai is still a botnet designed to exploit IoT devices, but in its latest iteration it seeks out vulnerable business devices - specifically, wireless presentation systems and the TVs used to present to rooms full of clients, partners and colleagues.

"This new Mirai is a perfect example of why every organisation needs to map their own networks from an external point of view and close off everything that is open and does not need to be," said Jamo Niemela, principal researcher at F-secure. "The types of new devices that Mirai attacks have no business of being visible to the Internet."

The WePresent WiPG-1000 wireless presentation system and the LG Supersign TV were the two devices singled-out by researchers as most vulnerable to the attack.

"This development indicates to us a potential shift to using Mirai to target enterprises," said Ruchna Nigam, senior threat researcher at Unit 42.

"The previous instance where we observed the botnet targeting enterprise vulnerabilities was with the incorporation of exploits against Apache Struts and SonicWall."

The new variant of Mirai includes new exploits in its multi-exploit battery as well as new credentials to use in its brute force attacks. In addition, the malicious payload attached to it was hosted at a compromised business website based in Colombia.

These new features, Nigam notes, gives Mirai a larger attack surface than before. By targeting firms which have business-grade bandwidth on their network, the combination can facilitate far larger-scale DDoS attacks.

"These developments underscore the importance for enterprises to be aware of the IoT devices on their network, change default passwords, ensure that devices are fully up-to-date on patches," Nigam added.

"And in the case of devices that cannot be patched, to remove those devices from the network as a last resort."

Last September, Mirai was discovered by Unit 42 attempting to target enterprise networks. As noted above, the previous variant targeted the same Apache Struts vulnerability that hackers used to carry out the infamous and the Equifax data breach.

Mirai has been attributed to a host of cyber attacks since three American twentysomethings launched it in 2016. The FBI has said that it believed the trio was not involved in the massive Dyn attack of 2016, but Mirai was at least part of the attack that hit the DNS provider and a selection of the biggest tech companies in the world.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.