The Mirai botnet has been a constant IoT security threat since it emerged in fall 2016. The subsequent release of its source code only extended Mirai’s reach and is one of the many reasons NetScout labeled it the “king of IoT malware.”
While Mirai’s distributed denial-of-service capabilities aren’t anything researchers haven’t seen before, “when wielded by a capable attacker, it can launch high-volume, nontrivial DDoS attacks,” said Richard Hummel, ASERT threat research manager at NetScout.
Its segmented command and control is instrumental to launching simultaneous attacks against multiple unrelated targets, he added. Mirai DDoS attack capabilities include SYN flooding, User Datagram Protocol flooding, ACK flooding and HTTP GET, POST and HEAD attacks.
Mirai continues to be successful for a well-known reason: Its targets are IoT devices with hardcoded credentials found in a simple web search. Such devices, Hummel said, listen for inbound telnet access on certain ports and have backdoors through which Mirai can enter. Once a device is subsumed in the botnet, he added, it immediately scans for other victims.
“The mean time to compromise a vulnerable IoT device is 10 minutes or less,” Hummel said. “This means compromised devices that are switched off or rebooted will almost certainly be recompromised unless proactive steps are taken to shield TCP/23, TCP/2323 and TCP/103 access.”
NetScout research found more than 20,000 unique Mirai samples and variants in the first half of 2019, a number Hummel said dipped slightly in the latter half of the year.
Here, Hummel discusses why Mirai is still so prevalent more than three years after its initial attacks and offers advice on how enterprises can defend against it.
Editor’s note: This interview has been edited for length and clarity.
Why is the Mirai IoT botnet still such a threat to connected devices?
Richard Hummel: The release of the Mirai source code made it trivial for a threat actor with little to no skill to build his own IoT botnets. Many IoT devices, such as home routers, are installed and rarely patched. Updating the original Mirai source code to include newly discovered exploits and hardcoded credentials translates into why we see a rising number of Mirai-based botnets.
What are some of the top Mirai variants you’re seeing?
Hummel: The variants we are seeing work like the original Mirai botnet. Threat actors modify the original Mirai source code to include newly released hardcoded credentials and vulnerabilities to exploit vulnerable IoT devices. We also see a mixture of the original DDoS attacks included from the Mirai source code. The top five variants seen by NetScout’s honeypot network for 2019 were IZ1H9, Ex0, Ares, LZRD and Miori.
Do you expect to see the same number of Mirai variants in 2020 and beyond?
Hummel: Because of the sheer number of IoT devices coming online — Verizon predicted 20.4 billion devices to connect by 2020 — they will continue to be targeted by threat actors. Mirai and its variants will continue to dominate the IoT malware landscape in 2020, and we will also see a handful of unique, non-Mirai-based IoT malware as well.
Is Mirai solely an IoT threat? What other devices or systems does it target?
Hummel: Mirai-based variants are continually evolving. In the past three years, we have witnessed Mirai variants target Ethereum mining clients and Linux servers running vulnerable versions of Hadoop YARN.
What steps can enterprises take to prevent Mirai and other IoT malware from being successful?
Hummel: Consumers need to change default credentials and patch and update their IoT devices. When possible, apply proper access controls. From an organizational perspective, the same applies: Change default credentials, implement proper patching and updating, apply access controls and deploy DDoS mitigation strategies.