Mirai Botnet Spinoffs Unleash Global Wave of DDoS Attacks
Two Mirai botnet spinoffs have launched aggressive distributed denial-of-service (DDoS) campaigns worldwide, targeting vulnerabilities in Internet of Things (IoT) devices and exploiting weak credentials. The campaigns underscore the enduring threat posed by Mirai-based malware, which remains a powerful cyberweapon nearly a decade after its infamous debut.
Table of Contents
Mirai’s Evolution: A Persistent Threat to IoT Security
The Mirai botnet has long been a symbol of the vulnerabilities inherent in IoT devices. Since its source code was leaked in 2016, Mirai has inspired countless variants, each building upon the original malware's devastating capabilities. Two distinct campaigns have emerged recently, leveraging Mirai-derived malware to compromise IoT devices and launch global DDoS attacks.
Campaign 1: The Murdoc Botnet
One of the active campaigns, dubbed the Murdoc Botnet, is delivering Mirai malware to exploit specific vulnerabilities in IoT devices such as Avtech cameras and Huawei HG532 routers. According to researchers at Qualys, the botnet utilizes known exploits, including:
- CVE-2024-7029: An authentication bypass vulnerability in Avtech cameras, allowing attackers to inject commands remotely.
- CVE-2017-17215: A remote code execution (RCE) flaw in Huawei routers.
The Murdoc botnet began operations in July 2024 and has since compromised over 1,300 IPs, primarily in Malaysia, Thailand, Mexico, and Indonesia. Researchers uncovered over 100 distinct server sets linked to the botnet, each tasked with managing infected devices and coordinating further attacks.
The malware infiltrates devices through ELF and shell script files, which are then used to install Mirai malware variants. These infected devices are weaponized to participate in expansive DDoS attacks, creating a formidable global botnet network.
Campaign 2: Hybrid Malware Targeting Global Organizations
A second campaign, leveraging malware derived from both Mirai and Bashlite, has targeted organizations across North America, Europe, and Asia. Trend Micro researchers identified large-scale DDoS attacks that initially impacted Japanese corporations and banks before spreading globally.
Attack Vectors and Targeted Devices
The attackers focused on exploiting security flaws and weak credentials in widely used IoT devices, such as:
- TP-Link routers
- Zyxel routers
- Hikvision IP cameras
The malware exploited remote code execution vulnerabilities and weak passwords to gain access, then downloaded scripts to compromise the devices. This global operation has employed two primary types of DDoS attacks:
- Network Overload Attacks: Flooding networks with massive packets of data to overwhelm bandwidth.
- Resource Exhaustion Attacks: Creating numerous sessions to exhaust server resources.
In some cases, attackers combined both methods to maximize the damage, causing significant disruptions in affected regions.
Defensive Measures: Mitigating the Impact of Mirai Botnets
The resurgence of Mirai-based campaigns highlights the need for organizations to bolster their defenses against DDoS attacks. Researchers at Qualys and Trend Micro have provided critical recommendations to combat these threats.
General Best Practices
- Monitor for Suspicious Activity: Regularly track processes, events, and network traffic for signs of compromise.
- Avoid Untrusted Sources: Refrain from executing shell scripts or binaries from unknown origins.
- Harden IoT Devices: Ensure devices are updated with the latest firmware and have strong, unique passwords.
Mitigating Network Overload Attacks
- Use firewalls or routers to block malicious IP addresses and restrict unwanted traffic.
- Collaborate with internet service providers to filter DDoS traffic at the network edge.
- Upgrade router hardware to handle higher packet volumes.
Mitigating Resource Exhaustion Attacks
- Implement rate limiting to restrict the number of requests from specific IP addresses.
- Use third-party DDoS protection services to filter malicious traffic.
- Continuously monitor connections in real-time and block IPs with excessive activity.
The Persistent Legacy of Mirai
These latest Mirai botnet campaigns serve as a stark reminder of the risks posed by unprotected IoT devices. As attackers continue to refine their tactics and leverage IoT vulnerabilities, organizations must remain vigilant, proactive, and prepared to mitigate the risks of DDoS attacks. By adopting robust security measures and fostering collaboration between cybersecurity stakeholders, we can reduce the impact of these persistent threats.