New Version of Mirai Malware Targets Default Credentials

Security researchers warn that they have noticed a new variant of the Mirai malware over the past week. The malicious threat is currently targeting new sets of default credentials specific to ZyXEL devices.

The Mirai malware has been known for a year when it started ensnaring insecure Internet of Things (IoT) devices into a botnet capable of launching massive distributed denial-of-service (DDoS) attacks.

In October 2016, the source code of Mirai was made public and by the end of the same month, the threat has managed to infect system in 164 countries worldwide.

The Mirai malware scans the Internet for open ports associated with Telnet access on Internet-facing IoT products and tries to connect to the discovered devices using a set of default username/password combinations.

According to Akamai, Mirai is formed of smaller hives of related bots and command and control (C&C) servers, and parts of it can be used for different purposes. For that reason, the botnet can participate in numerous simultaneous attacks, each orchestrated from a different C&C, usually by a different operator, and can also be rented to hackers.

Since last week, Netlab has registered an increase in port 2323 and 23 scan traffic and “confidently” associated it with a new version of the Mirai malware. According to security experts, the new variant of the threat is specifically searching for insecure ZyXEL devices.

The researchers also claim that the scanner was trying to exploit two new default login credentials – admin/CentryL1nk and admin/QwestM0dem, while the former was noticed less than a month ago in exploit-db, as part of an exploit targeting the ZyXEL PK5001Z modem.

According to the analysis of Netlab, the abuse of the two login credentials started on November 22 and reached its peak the next day, the same as the uptick on port 2323 and 23 scan traffic. Considering these facts, the security researchers decided that the two were related.

The experts also reported that most of the scanner IPs are located in Argentina as they have observed about 100,000 unique scanners from that country over a three-day period. Based on their observation, the researchers concluded that the attack might have been focused on specific types of IoT devices widely deployed in Argentina.

In 2016, about 1 million of the Deutsche Telekom’s fixed-line network customers experienced Internet disruptions, due to a similar attack by the Mirai malware.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.