Security researchers from Palo Alto Networks have spotted a new variant of the Mirai IoT malware in the wild targeting two new classes of devices –smart signage TVs and wireless presentation systems. This new strain is being used by a new IoT botnet spotted earlier this year.
The botnet’s author(s) appears to have invested quite a lot of their time in upgrading older versions of the Mirai malware with new exploits.
Palo Alto Networks researchers say this new Mirai botnet uses 27 exploits, 11 of which are new to Mirai altogether, to break into smart IoT devices and networking equipment.
Furthermore, the botnet operator has also expanded Mirai’s built-in list of default credentials, that the malware is using to break into devices that use default passwords. Four new username and password combos have been added to Mirai’s considerable list of default creds, researchers said in a report published earlier today.
The purpose and modus operandi of this new Mirai botnet are the same as all the previous botnets. Infected devices scan the internet for other IoT devices with exposed Telnet ports and use the default credentials (from their internal lists) to break in and take over these new devices.
The infected bots also scan the internet for specific device types and then attempt to use one of the 27 exploits to take over unpatched systems.
Typically, Mirai botnets have targeted routers, modems, security cameras, and DVRs/NVRs. In some very rare occasions, Mirai malware has ended up on smart TVs, smartphones, and some enterprise Linux and Apache Struts servers. However, these are rare events.
However, according to Palo Alto Networks researchers, this new Mirai botnet they spotted this year is intentionally targeting two new device types using specially crafted exploits, namely LG Supersign signage TVs and WePresent WiPG-1000 wireless presentation systems.