Tag Archives: Mirai

New Mirai variant attacks Apache Struts vulnerability

New variants of the Mirai and Gafgyt botnets are targeting unpatched enterprise devices, according to new research.

Palo Alto Networks’ Unit 42 found the variants affect vulnerabilities in Apache Struts and in SonicWall’s Global Management System (GSM). The Mirai variant exploits the same vulnerability in Apache Struts that was behind the 2018 Equifax data breach, while the Gafgyt variant exploits a newly uncovered vulnerability in unsupported, older versions of SonicWall’s GSM.

The Unit 42 research team noted the Mirai variant involves taking advantage of 16 different vulnerabilities. And while that’s not unusual, it is the first known instance of Mirai or any of its variants targeting an Apache Struts vulnerability.

The research also found the domain that hosts the Mirai samples had resolved to a different IP address in August, which also hosted Gafgyt samples at that time. Those samples exploited the SonicWall GSM vulnerability, which is tracked as CVE-2018-9866. Unit 42’s research did not say whether the two botnets were the work of a single threat group or actor, but it did say the activity could spell trouble for enterprises.

“The incorporation of exploits targeting Apache Struts and SonicWall by these IoT/Linux botnets could indicate a larger movement from consumer device targets to enterprise targets,” the Palo Alto researchers wrote.

The Apache Struts vulnerability exploited by the new Mirai variant was patched last year before it was used in the Equifax breach. But systems that have not been updated are still susceptible to these types of exploits.

The Mirai botnet first emerged in the fall of 2016, and it has since affected hundreds of thousands of IoT and connected devices. The botnet’s malware had primarily targeted consumer devices, and it was responsible for massive distributed denial-of-service attacks on the German teleco Deutsche Telekom and on the domain name server provider Dyn, which took down websites such as Airbnb, Twitter, PayPal, GitHub, Reddit, Netflix and others.

The Unit 42 researchers discovered the Gafgyt and Mirai variant on Aug. 5, and they alerted SonicWall about its GMS vulnerability. The public disclosure was posted by Palo Alto on Sept. 9.

Okiru malware puts billions of connected devices at risk

A new variant of the Mirai malware puts ARC processors at risk of being exploited.

The Mirai variant, known as Okiru, is the first malware that is able to infect Argonaut RISC Core (ARC) processors, according to a researcher known as unixfreaxjp at the malware security group MalwareMustDie.

ARC processors are used in a wide range of internet-of-things (IoT) devices, such as cellphones, televisions, cameras and cars.

It’s thought that there are approximately 1.5 billion devices worldwide with ARC processors in them that could be vulnerable to Okiru.

In 2016, Mirai malware was used to create a botnet of 100,000 IoT devices that caused a series of problems, such as shutting down domain name system (DNS) provider Dyn.

However, in a tweet, security researcher Odisseus warned that Okiru could have a bigger impact than Mirai.

“The landscape of Linux IoT infection will change,” Odisseus said.

A Mirai malware variant called Satori, which was uncovered in December 2017, took down hundreds of thousands of Huawei routers. Satori was also sometimes called Okiru, but the two have significant differences, according to Security Affairs’ Pierluigi Paganini.

Okiru’s configuration is different because it “is encrypted in two parts,” but Satori’s is not, Paganini wrote in a blog post. “Also Okiru’s telnet attack login information is a bit longer,” Paganini explained, noting that the login information can be up to 114 credentials, but Satori has a “different and shorter database.”

At the time of this writing, the detection ratio on VirusTotal was 29-58. When Odisseus tweeted about the botnet threat earlier this week, it was only at 5-60.

In other news:

  • Google launched a new tool for enterprise security called G Suite Security Center. The tool will be available to G Suite Enterprise users and is automatically accessible in the admin console. In a blog post, Google stated the three objectives of the security center are to show a “snapshot” of security metrics, to help enterprises stay ahead of security threats and to recommend ways for enterprises to improve their security posture. “We want to make it easy for you to manage your organization’s data security,” Google product managers Chad Tyler and Reena Nadkarni wrote in a blog post. “A big part of this is making sure you and your admins can access a bird’s eye view of your security — and, more importantly, that you can take action based on timely insights.” The security center will consist of a dashboard that shows the security metrics and the “security health” recommendations.
  • A team of researchers discovered a way to hack the Android Pixel phone. The exploit involves combining two separate vulnerabilities. The first, which Google patched in September 2017, is a type confusion flaw in the V8 open source JavaScript engine. The second vulnerability is a privilege escalation flaw in Android’s libgralloc module. Google patched that one in December 2017. However, security researchers were able to exploit both vulnerabilities to inject arbitrary code into the system_server process. All they had to do to make the exploit successful was get the targeted user to click on a malicious link in Chrome. The research team received a total of $100,000 from Google for the find, through both the Android Security Rewards program and the Chrome bug bounty program.
  • The Internet Systems Consortium (ISC) put out a security advisory warning of a vulnerability in the Berkeley Internet Name Domain (BIND) DNS software. The vulnerability, with severity ranked “high,” was remotely exploitable and reportedly caused some DNS servers to crash. “BIND was improperly sequencing cleanup operations on upstream recursion fetch contexts, leading in some cases to a use-after-free error that can trigger an assertion failure and crash in named,” ISC said in its advisory. The vulnerability was found in BIND versions 9 and later, but not in earlier versions, so the ISC advised users to upgrade to the latest version. There have been no known active exploits, but the advisory stated that “crashes due to this bug have been reported by multiple parties.”

Mirai creators and operators plead guilty to federal charges

The three men accused of creating and operating the Mirai botnet have pleaded guilty to federal charges.

The Department of Justice announced Wednesday it had unsealed the guilty pleas of Paras Jha, age 21, of Fanwood, N.J.; Josiah White, 20, of Washington, Pa.; and Dalton Norman, 21, of Metairie, La. on charges of “conspiracy to violate the Computer Fraud and Abuse Act in operating the Mirai botnet.”  

According to the DoJ, the three Mirai creators built the botnet during the summer and fall of 2016 before unleashing the first wave of Mirai attacks, which at its peak was generating DDoS attacks from hundreds of thousands of vulnerable IoT devices.

“The defendants used the botnet to conduct a number of powerful distributed denial-of-service, or ‘DDoS’ attacks, which occur when multiple computers, acting in unison, flood the Internet connection of a targeted computer or computers,” the DoJ wrote in a statement. “The defendants’ involvement with the original Mirai variant ended in the fall of 2016, when Jha posted the source code for Mirai on a criminal forum. Since then, other criminal actors have used Mirai variants in a variety of other attacks.”

Jha and Norman were separately charged with and pleaded guilty to infecting more than 100,000 devices between Dec. 2016 and Feb. 2017 with “malicious software,” but did not specifically attribute these attacks to Mirai The DoJ announcement accused the Mirai creators with making a botnet “used primarily in advertising fraud, including ‘click fraud’ … for the purpose of artificially generating revenue,”and it is unclear if this botnet was separate from Mirai or not..

“Our world has become increasingly digital, and increasingly complex,” U.S. Attorney Bryan D. Schroder said in the DoJ statement. “Cybercriminals are not concerned with borders between states or nations, but should be on notice that they will be held accountable in Alaska when they victimize Alaskans in order to perpetrate criminal schemes. The U.S. Attorney’s Office, along with our partners at the FBI and Department of Justice’s Computer Crime and Intellectual Property Section, are committed to finding these criminals, interrupting their networks, and holding them accountable.”

Jha alone also pleaded guilty to a series of attacks against the Rutgers University network — where Jha was a student — between Nov. 2014 and Sept. 2016.

Mirai creator attribution

Early reports following the Mirai botnet attacks, including the Dyn DDoS incident, attempted to attribute the attack to nation-state actors and foreign adversaries. However, in January 2017 Brian Krebs, cybersecurity journalist and investigator, identified Jha and White as likely being the Mirai creators. It is unclear how his investigation played a part in the DoJ charges. Krebs was one of the first known victims of the Mirai DDoS attacks.

Lesley Carhart, security incident response team lead at Motorola Solutions, said on Twitter that this case against the Mirai creators should be a moment to realize “attribution is complex.”