Recent statistics show that the number of connected devices worldwide is expected to reach 30.9 billion units by 2025 . This fast-growing popularity of IoT devices in our daily life is bringing both convenience and a new pool of resources available for attackers. Some of these security concerns have been discussed in one of our previous blog posts. Moreover, weak security layers, encryption standards and inherent design heterogeneity make IoT devices vulnerable to security intrusions, so more powerful botnets with increased attack capabilities are expected.
This blog will discuss Mirai; a botnet malware, primarily designed to target Linux-based connected devices. Two main things make Mirai interesting in terms of the extended attack surface:
- There is a significant number of IT devices across organisations, data centres, homes, and mobile devices running the Linux operating system.
- The release of code as open source, has made it easier for threat actors to embed discovery techniques based on recent vulnerabilities and create powerful variations of Mirai.
According to research from Crowdstrike, the number of variants of Mirai malware for Intel-powered Linux systems has doubled in Q1 2022 when compared to Q1 2021. Interested in this observation, we explored Mirai’s history to examine how it has evolved. We highlight some of their techniques per the MITRE framework and a list of mitigation recommendations you should follow to protect your environment.
Mirai initially began as a self-propagating malware. It gained notoriety in 2016 after initiating DDoS attacks against some of high-profile targets including the popular “Krebs on security” blog, “Dyn” DNS provider, and “Lonestar Cell”, a telecom operator in Liberia. The first outbreak infected around 65,000 devices in the first 20 hours, targeting a variety of IoT and embedded devices including IP cameras, routers, and printers. Following these attacks, the source code was published to a Hack Forum as open-source. This was used by attackers to create new strains. Researchers tracked the evolution, created measurement methodologies and published detection processes.
How Mirai works
Mirai targets Linux-based IoT devices to create a network of bots controlled by a Command and Control (C2) server. The attack is performed in two steps:
- During the discovery/infection phase, blocks of IP addresses are randomly probed for possible telnet connections. Once potential victims are identified, Mirai begins a brute-force login attempt via a list of factory-set users and passwords. Those devices that are still using the default settings are identified. Their IP along with successful credentials are sent back to the C2 server.
- Once a device is infected and the malware binary executed, it is added to the list of active bots to receive C2 commands while simultaneously scanning to detect new victims. The malware binary is removed from the system along with other competing processes including other Mirai variants.
Evolution and Variations
Since the first outbreak in 2016, new strains of Mirai malware have been introduced resulting in higher success rates. These variants use modified techniques such as exploits, brute force logins and target new architectures. Listed below are some of the reported variants of Mirai.
- Satori: Reported by the 360 Institute for Cybersecurity and Check Point Researchers in November 2017, this variant exploited device vulnerabilities instead of using brute force logins to break into devices. Satori scanned for ports 37215 (Zero-Day CVE-2017-17215 vulnerability on Huawei HG532 devices) and 52869 (CVE-2014-8361 SOAP vulnerability in Realtek SDK-based devices) to install malware code. The malware reportedly infected more than 280,000 IP addresses in 12 hours, hijacking thousands of home routers.
- Okiru: A first-time ever seen Linux malware designed to infect ARC CPU, was initially detected in late 2017. ARC-embedded processes are one of the most common in IoT devices including mobiles, home, and smart-car devices. This raised a huge concern over the extent of impact from cyberattacks initiated by controlling the network of all devices that were considered immune to these types of attacks. While Okiru and Satori have several common characteristics, Okiru has a more complex design including a two-part encrypted config and longer attack login information.
- Masuta/PureMasuta: Masuta (Japanese for “master”), reported in January 2018, exploits router vulnerability using default credentials. An evolved version of Masuta, PureMastua, leverages older network administration protocol EDB 38722 D-Link exploit. The exploit discovered in 2015 in the HNAP (Home Network Administration Protocol), allows the transfer of SOAP queries which bypass authentication and run system commands using an improper string handling issue.
- OMG: This variant was found infecting IoT devices and transforming them into proxy servers. OMG creates a network of proxy servers that later can be used to perform anonymous malicious activities. The variant keeps Mirai’s initial DDoS capabilities and uses 3proxy open-source software to create proxy functionality. The network of infected proxy devices can be made available to cybercriminals searching for DDos generators and spamming networks.
- Beastmode: A more recent variant reported to exploit new vulnerabilities aside from brute-force credentials. The report highlights 5 new vulnerabilities observed from February and March 2022 including 3 TOTOLINK exploits that enable attackers inject and execute commands through special requests and query parameters. Beastmode also uses older exploits in IP cameras, routers, and surveillance products that are using unpatched firmware. Once the attacker takes the control of the device, they can run commands such as “wget” to download shell scripts to infect and register the device on the botnet. Beastmode can incorporate new vulnerabilities, extending the scope and increasing the infection rate for unpatched devices.
Research conducted by the Georgia Institute of Technology reports an evolution of exploits found in Mirai variants through the years:
Figure 1: Evolution of Mirai variants (Alrawi 2021)
Mirai: Tactics and Techniques
MITRE ATT&CK framework is an open-source knowledge base of techniques and tactics based on real-world observations. The framework is widely used to model threat behaviours to better understand how an adversary performs at different stages of an attack.
Mirai has evolved through time to exploit new techniques, increasing its success rate. Listed below are some of the common techniques used in Mirai and it’s variants, from initial access and device discovery, to the destruction and interruption of the target system/data. Those interested are encouraged to review the details of each technique to familiarise themselves with common patterns, threat actors, and mitigation recommendations.
- Acquire Infrastructure (T1583): Mirai creates a botnet of IoT devices to perform adversary actions. The bot infrastructure could also be made available to other adversaries seeking resources for intended attacks.
- Brute Force (T1110): Mirai leverages a list of default credentials to brute force into the IoT devices with default configurations to gain control for further discovery. T1110 technique includes different brute force mechanisms including password spraying under the credential access tactic.
- T0866, T1210: Mirai variants exploit different vulnerabilities to gain access to buggy devices and infect new devices. T0866 and T1210 explain the different methods available to gain initial access, as well as lateral movement in the internal network to expand the infection rate.
- Command and Control (TA0011): Mirai uses Command and Controls (C2) servers to send commands to infected devices.
- Network Denial of Service (T1498): Once devices are infected, C2 servers can send commands to controlled devices to perform actions such as Distributed Denial Of Service attacks (DDoS).
How can companies protect themselves against attacks?
Mirai is constantly evolving which makes it special in terms of mitigation recommendations. Mirai variants use various techniques such as removing competing malware from infected devices, removing malware binary, changing the process name to a random string, or blocking ports associated with remote administration processes to make the detection process highly complicated. Moreover, research on infected devices shows that some of the top manufacturers of electronic devices did not follow sufficient security practices to mitigate these attacks. In a previous blog post, we discuss how to use Elastic Stack to anayse and visualise data collected from IoT devices in an attempt to enhance their security. Therefore, device vendors, network operators, end-users, and other stakeholders have a role in protecting devices throughout their lifecycle against malicious access. This includes focusing on technical and regulatory compliance recommendations:
- Device vendors have the highest visibility into hardware and software. They should ensure the security of design, limiting the exposed services and process interactions to isolate possible infections.
- Organisations should seek to increase security awareness and encourage users to follow best practices such as changing default passwords and enabling built-in firewalls. By exploring the evolution of Mirai variants, the periodic assessment of IT devices has been highlighted.
- Network operators should monitor and analyze traffic, looking for unexpected patterns and indicators of port scan or brute force attacks.
- Monitoring threat feeds and threat intelligence repositories to actively update the blocklist of observed C2 servers.
- Follow Center for Internet Security (CIS) benchmarks for best practices and recommended configurations to set up and prepare your IT resources.
- Conduct regular IoT audit controls to create an inventory list of all devices in an organization and identify their connectivity network, physical and logical access, cybersecurity measures, protocols, and incident response plans.
- Prepare for Zero-day attacks. You might not have prior knowledge of how these attacks impact your environment. However, you have access to a vast amount of data generated by devices showing the normal operations in the environment; and you have the help of big data analytics. Analytics processes such as User and Entity-based Behavior Analytics (UEBA) will help monitor the behaviour of users and devices to receive alerts of deviations from normal patterns.
- Anti-malware software helps to detect and remove malware that has evaded other security layers such as firewalls.
Following the best practices, regular auditing, and implementing security protection and detection tools will help your organisation create a safer environment. However, there are always new vulnerabilities and unexpected intrusion techniques that can lead to data breaches and system disruptions. Moreover, unsecured IoT devices extend the attack surface beyond organisations and target individual users in their homes, cars and daily life. It is important that end-users are aware of the security concerns and their interaction with devices. End-users should consider and aim to implement the following best practices to secure their environment:
- Consider the use of a secure commercial router instead of an ISP-delivered router/modem device. Many consumer-graded devices are equipped with management tools to let remote administrators connect the device for troubleshooting.
- Check if your router supports the HNAP protocol. If the answer is yes, then you should consider replacing your router.
- Use a powerful password and be aware of the router name. If the name is a default name (such as Netgear or Linksys) indicating the router technology, change it immediately. There are tools that attackers use to scan and find internet-facing devices with known names and default credentials.
- Regularly check for automatic upgrade options or the company website for recommended updates and firmware upgrades.
- Check for the list of connected devices and disable any inactive or unknown devices in the network.
- Regularly monitor the activity on your device for unknown logins or suspicious activity.
Raising security awareness encourages users to be alert and aware of the state of their IoT devices and advises them on what action to take when facing a threat.
- Understanding the mirai botnet [https://dl.acm.org/doi/10.5555/3241189.3241275]
The Circle Of Life: A Large-Scale Study of The IoT Malware Lifecycle [https://www.usenix.org/conference/usenixsecurity21/presentation/alrawi-circle]
Skillfield is an Australian based IT services consultancy company empowering businesses to excel in the digital era. Across our two main practices of Cyber Security & Data Services, our talented and committed professionals provide smart and simplified solutions to complex cyber security and big data challenges.