Actu
New ASERT research: Mirai - Not Just For IoT Anymore
November 2018 by NETSCOUT’s ASERT
NETSCOUT’s ASERT team have just published a new research revealing new versions of Mirai tailored to run on Linux servers and not underpowered IoT devices.
Botmasters have taken the lessons from developing Internet of Things (IoT) malware and shifted their focus to targeting commodity Linux servers. Like many IoT devices, unpatched Linux servers linger on the network, and are being abused at scale by attackers sending exploits to every vulnerable server they can find.
NETSCOUT researchers have been monitoring exploit attempts for the Hadoop YARN vulnerability in their honeypot network and found a familiar, but surprising payload – Mirai.
These versions of Mirai behave much like the original but are tailored to run on Linux servers and not underpowered IoT devices. While ASERT has previously published observations of Windows Mirai, this is the first time they’ve seen non-IoT Mirai in the wild.
While the techniques used to deliver Mirai to both IoT and Linux servers may be similar, it’s much easier for attackers to attack the x86 monoculture of Linux servers than the wide array of CPUs used in IoT devices.
Key Findings include:
• Mirai botmasters that target Linux servers no longer need to tailor their malware for strange architectures, they assume their targets are using x86.
• Rather than rely on the bots to propagate, the attackers have shifted their tactics to issuing exploits themselves. A relatively small number of attackers are using custom tools to exploit the Hadoop YARN vulnerability and deliver Linux malware.
• Even if the victim Hadoop YARN server is not running the telnet service, the Mirai bot will attempt to brute-force factory default credentials via telnet.
• Linux servers in datacenters have access to more bandwidth than IoT devices on residential networks, making them much more efficient DDoS bots. A handful of well-resourced Linux servers can generate attacks that compete with a much larger IoT botnet.
