Mirai Pivots from IoT End Points into Corporate SD-WAN Gear as Worst Fears Come True

It’s been awhile since we’ve written about the Mirai botnet, a malware that turns networked devices running Linux into remotely controlled "bots" to perform large-scale network attacks.

While Mirai started out as an IoT security threat, when it initially targeted online consumer devices as first identified in August 2016 by MalwareMustDie, a whitehat malware research group, it has grown to cause some of the largest and most disruptive distributed denial of service (DDoS) attacks, including the infamous October 2016 Dyn cyberattack.

Many security experts and analysts said at the time that the ability for adversaries to pivot from the initial attack (from hacking devices to hacking into entire networks) and last week, those predictions turned into the present moment as VMware’s corporate SD-WAN gear was found to be vulnerable to the same software.

VMWare immediately came out with a software patch that addresses the issue that was uncovered by Palo Alto Networks Unit 42, which has been tracking the evolution of the Mirai malware since 2016.

“As part of this ongoing research, we’ve recently discovered a new variant of Mirai that has eight new exploits against a wide range of embedded devices,” Unit 42 wrote. “These newly targeted devices range from wireless presentation systems to set-top-boxes, SD-WANs, and even smart home controllers.”

In 2016, Mirai used default passwords to gain access to IoT devices but has advanced into more sophisticated measures using “publicly available exploits to propagate and run on vulnerable devices.”

“This newly discovered variant is a continuation of efforts by Linux malware authors to scout for a wider range and thus, larger number, of IoT devices to form larger botnets thereby affording them greater firepower for DDoS attacks,” Unit 42 summarized. “Based on the results observed by using such variants, the exploits that are more effective i.e. the ones that infect a greater number of devices are retained or reused in future variants whereas the less effective ones are retired or replaced by malware authors with other exploits.”

This raises the question of how secure SD-WANs really are, and while some believe the intruders chose the now-fixed VMWare equipment because they identified the vulnerability, others believe we need to take a fresh look at how private networks can harden themselves against future invasions.

Rick Conklin, CTO at Dispersive Networks, said “We should expect to continue to see a rise in the types of attacks on SD-WANs, including now using Mirai software, which is advancing beyond consumer devices to corporate devices. It’s critical for IT and network operations teams to be on a constant vigil, using the best techniques available to check for anomalies that signal possible attacks.”

Conklin believes this is a solid transitional solution, but that ultimately it will be Software Defined Networking with more sophisticated treatment of sessions and micro-segmentation of the network to ensure that critical devices can only talk to servers or users that they are authorized to talk to will win the battle.  That means authentication before access with unauthorized attempts being rejected silently (to the requestor) and being logged for network administrator notification. 

“A simple rule for IoT: Don’t talk to strangers.”
“We’ve been keeping a constant eye on what’s happening with Mirai as IoT deployments like those we protect on a large, distributed scale are very attractive targets,” Conklin said. “2016 was just practice, with consumer devices, set top boxes, smart thermostats, and more so open and easy to penetrate given the prevalence of default passwords. As trillions of dollars are being invested, according to Gartner and other firms, by adversarial and often state sponsored groups, we can expect new levels of sophistication and must defend against those to avoid future surprises which can have life or death results should Mirai be used to control a microgrid, for example.”

Researchers at Palo Alto Networks' Unit 42 found earlier issues in March, when it reported that Mirai is also being used to take control over TVs and projectors, as well as broadband routers, network-attached storage boxes, IP-enabled cameras and other (until then) primarily consumer IoT devices.

At that time, Unit 42 named WePresent projectors, D-Link video cameras, LG digital signage TVs, and routers from Netgear, D-Link, and Zyxel as the end points, which were exploited based on vulnerabilities in firmware

"In particular, Unit 42 found this new variant targeting WePresent WiPG-1000 Wireless Presentation systems, and in LG Supersign TVs," the researchers said. "Both these devices are intended for use by businesses. This development indicates to us a potential shift to using Mirai to target enterprises."

Enterprises need to be on high alert, according to Conklin, including those who believe their SD-WANs to be secure enough to protect valuable data and systems. “Daily attention is required, and for those of us who are in this industry and have a passion for our mission – to protect people, businesses, the environment and democracies, we are grateful for the efforts of researchers like those in Palo Alto’s Unit 42.”