A Year After Mirai: Insecure Devices are still a Huge Problem

In-brief: A year after Mirai, as many as 100,000 devices, globally, may be running some version of the Mirai malware, while countless others are vulnerable to being enlisted in a Mirai-like attack. Worse: these systems may not be patched for “years,” according to the SANS Internet Storm Center. 

As September rolls around we’re coming up on the anniversary of the Mirai botnet, which first got noticed around September 21st, 2016 before bursting into the headlines late in October of the same year. Mirai raised alarms and awareness about the vast population of insecure, connected devices and woeful security practices, such as the common use of default, manufacturer supplied passwords to secure devices. One year later, how much has changed? Sadly, not much.

Almost a year after the Mirai botnet launched crippling denial of service attacks against media and hosting websites, as many as 100,000 systems, globally, may be running some version of the Mirai malware, while countless others are vulnerable to being enlisted in a Mirai-like attack. Worse: these systems may not be patched for “years” according to a report from the SANS Internet Storm Center. On one bad omen: scanning for and attacks on connected devices are way up, while the use of default credentials in connected devices is still common.

I spoke with Johannes Ullrich of the SANS Internet Storm Center last week about an experiment he did: deploying a common Digital Video Recorder (DVR) on the public Internet to measure the frequency of attempts to hack it. Over two days he recorded around 1,200 such attacks – an almost constant barrage. The vast majority of those “attacks” were simply efforts to log into the device using the manufacturers default password, which is something of an open secret online. (You can hear parts of my interview with Johannes on the most recent Security Ledger podcast.)

Source IPs scanning port 2323. (Image courtesy of SANS ISC.)

More recently, he penned a blog post that looks at the persistence of Mirai months after the attacks linked to the botnet peaked in early November, 2016. While Mirai related activity is much reduced since then, it is certainly not gone. In fact, Ullrich estimates that there are likely more than 100,000 Mirai hosts still on the Internet – some infected in the initial wave, others infected later with Mirai variants.

How much longer will Mirai be a threat? If SANS ISC’s data on other malware outbreaks holds true, “Mirai is going to stick with us for a few more years,” Ullrich said. “There are many efforts underway to reach out to infected systems and to protect them. But for Mirai, these efforts appear to have reached a point of diminishing returns.”

Unlike earlier malware (say SQL Slammer or MS Blaster) Mirai does not cripple critical IT assets. Nor does it cripple the host networks it infects enough to compel affected organizations to address the infection immediately. Also, Ullrich points out: the fix is no small task, as users can’t update the default password themselves and no straight forward software patch is available.

But Mirai is just one type of malware targeting connected devices like cameras, DVRs, home routers, network attached storage devices and the like. Subsequent Mirai variants as well as malware like PersiraiBrickerbot and Hajime have all targeted embedded and connected devices.  Wirex, a botnet composed of hacked Android devices, is another new wrinkle in the botnet picture that could become more common in the future. “There’s potentially a pattern here – a new capability, used a bit – which may later be combined into a larger capacity multiform botnet.  Or not,” wrote Andy Ellis, the Chief Security Officer at Akamai.

There’s plenty of evidence that there are more devices out there for the taking, too. Most recently, the security firm Nomotion has highlighted a bevy of security holes in AT&T U-verse modems, manufactured by Arris. These include the use blank default passwords with root privileged services exposed and hidden “backdoored” administrative credentials, not mention other exploitable software flaws.  Also last week, Telnet credentials for tens of thousands of connected devices were dumped online, allowing anyone with knowledge of them to break into devices. The security firm F5 noted in their recent quarterly report that  Telnet attack activity grew 280% from the previous period, which included massive growth due to the Mirai malware and subsequent attacks.

And, as next generation thing-botnets like Persirai showed: cyber criminals are more than happy to look beyond weak credentials: exploiting known software holes to gain control over weakly secured, connected endpoints like cameras, DVRs and broadband routers.

True, we haven’t seen botnet attacks on the scale of Mirai in many months. But that shouldn’t give anyone comfort that more aren’t in the offing.

“New records aren’t really high-water marks, moving incrementally; they’re more like storm surges, that surprise everyone with a big new hit,” wrote Ellis. “Sometimes that leads to an immediate new normal, but other times the normal slowly changes.”

Botnets and botnet attacks boil down to dollars and sense, he notes: how adversaries can maximize revenue while keeping overhead low. “Smaller attacks often achieve that goal, as those botnets are less likely to draw concerted attention, and the attacks are just as likely to succeed against undefended targets.”

That may make massive denial of service attacks like the world witnessed with Mirai rare. But it also means that the trend lines on botnets and attacks on small, insecure connected devices will be pointing up. Be prepared!

Security Ledger wants to hear your thoughts! Leave a reply.