Resource May 10, 2021

Stopping Mirai: Bringing five years of wreaking havoc on devices to an end

In 2016, the makers of the Mirai malware turned their sights on well-known security expert Brian Krebs and his website KrebsonSecurity to flex their muscles. After the attackers published their  source code, bad actors quickly replicated it, and according to its Wikipedia page (yes, it has a Wikipedia page) it has been used to orchestrate some of the largest and most disruptive DDoS attacks. While it mostly targets consumer devices, it has been found in large-scale attacks on organizations as well with the DNS provider Dyn being the most well known example. 

Mirai was designed to scan IoT devices and spread through vulnerabilities often found there, such as default credentials and missing patches. Once infected, the networked devices running Linux turn into remotely controlled bots that can be used as a part of large-scale network attacks. 

Since its inception Mirai has evolved, spawning new variants at every turn. The malware has gone from overwhelmingly targeting consumer devices to exploiting a zero-day flaw in Huawei routers, targeting device embedded 32 bit processors, hijack cryptocurrency mining operations, and weaponizing routers to exploit and enlist other vulnerable IoT devices or turn them into proxy servers. 

In 2018, thirteen variants were detected actively targeting and infecting Linux IoT devices in operation, three of which specifically targeted default credential authentication. And, that same year, another variant targeting the Android operating system was discovered. 

Today we are still seeing reports of Mirai targeting IoT devices such as routers and switches and being embedded in other malware targeting IoT devices like Gafgyt

So, how is it possible that an instance of malware that has been studied and known to target devices with default credentials still poses a threat to networks today?

Given the length of time that Mirai has been around and the amount that is known about the bot, current Mirai breaches can’t truly be qualified as hacks. They are more accurately described as poorly implemented security designs that failed to protect against a known vulnerability.

That vulnerability is a lack of basic security hygiene for IoT devices. 

Basic security measures for IoT devices––inventory management, patching and credential management––are often overlooked as part of a broader cybersecurity posture. With an average timeframe for applying patches and rotating credentials clocking in at seven years, devices are often the softest targets on the network today. 

Taking care of these seemingly simple security measures back then when Mirai was created and IoT was a more limited endeavor would have been a much more straightforward process. Today, however there are tens of thousands of devices on an average enterprise network that may be a target. And the number is constantly increasing, oftentimes deployed as shadow IoT without the CIO’s knowledge. So, how do you ensure that basic security hygiene measures are taken care of on a regular basis for an exploding number of devices?

In a word, automation. In order to keep up with manual inventory, patching and credential management of just one device it takes 4 man hours per year. Considering that McKinsey estimates that 127 devices hook up to the internet for the first time every second, that’s quite a lot of work piling up. In order to keep pace with that exponential growth IT teams will need the help of automation. 

To learn more about automated remediation of the biggest threats facing IoT devices, and to see just how many vulnerable devices are lurking on your network, please join us for a demo of Phosphorus Enterprise.