Mirai Botnet Code Targets Corporate Networking Gear

Last month a report from Palo Alto Networks’ Unit 42 revealed that cyber criminals have now evolved the infamous Mirai botnet code to target corporate SD-WAN gear and recruit those assets into harmful botnets. The makers of that specific SD-WAN gear have since addressed the vulnerability that made the attack possible, but this still relies on users upgrading their devices to remove the threat. Looking ahead, this surely means the Mirai botnet will be targeting other vulnerable network devices. The fact that Linux servers and SD-WAN devices have been targeted indicates that cyber criminals continue to seek any vulnerable connected devices to recruit, now including enterprise networking gear.

The Mirai botnet code has been in the public domain for nearly three years now and has regularly been used to launch malicious distributed denial of service (DDoS) attacks from recruited IoT devices. Mirai first made headlines in October 2016 when it knocked down Dyn’s Managed Domain Name Service infrastructure for hours, with a massive attack of 1.2Tbps. It’s widely known that the Mirai code and its variants have recruited vulnerable consumer and commercial IoT devices, which are relatively easy to compromise, yet low-powered. However, in late 2018 cyber security researchers found that it had gone beyond recruiting only IoT products; it has since been used to target x86 Linux servers running Hadoop YARN (Yet Another Resource Negotiator), which have more compute power and, therefore, can be used more effectively as bots for DDoS attacks. This comes as no surprise, because those cyber criminals exploiting the Mirai code periodically update it to harness new vulnerable devices. According to Unit 42, this latest variant of the malicious software includes a total of eight new-to-Mirai exploits.

DDoS Defense Must Be Sophisticated

Why is the Mirai botnet so hard to defend against? Firstly, the attack vectors are highly configurable from the Command and Control and, by default, Mirai tends to randomize the various header fields (port numbers, sequence numbers, ident etc.) in the attack, so they change with every packet sent. To defend against such attacks, a security system must include comprehensive automated protections against Mirai type attack vectors, with the ability to easily and quickly enable additional mitigations. The most effective and easiest way for enterprises to stop attacks directed at them is to use a Managed Security Service Provider, Hosting Provider or Internet Service Provider who offers the latest generation of real-time, automatic, DDoS Protection as a Service (DPaaS).

Security Patches Alone Won’t Stop DDoS

It goes without saying that manufacturers must make every effort to fix vulnerabilities in their products, and enterprises should patch and upgrade their assets accordingly. However, it’s important to note that even if an enterprise repairs the vulnerabilities in its physical assets, to protect them from being harnessed by botnet malware, its network is not protected from being on the end of a damaging DDoS attack. The denial of service risk persists, regardless of whether the local network physical assets are secure. There are billions of other IoT-connected devices around the world that are not secured, and therefore can, and will, be recruited by cybercriminals into botnets that hurl damaging DDoS attacks at their targets, almost indiscriminately. No unprotected network is safe; enterprises can’t afford to be lax or lenient when it comes to DDoS protection.

For over a decade, Corero has been providing state-of-the-art, highly-effective, automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. If you’d like to learn more, please contact us.

Sean Newman is VP Product Management for Corero Network Security. Sean has worked in the security and networking industry for twenty years, with previous roles including network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.