The original Mirai botnet was so destructive that it made national headlines last year in many countries around the world. Internet users found many of their favourite services were inaccessible after hackers used the botnet to DDoS companies such as Dyn, a company that controls much of the internet’s DNS infrastructure.
In that attack, over 100,000 compromised devices flooded Dyn with a record-breaking amount of traffic — reportedly in the region of 1.2Tbps.
Whenever there’s mention of Mirai, it’s bound to cause some amount of panic. Variants discovered since last year’s attack haven’t caused anywhere near as much chaos, but it could be they’re waiting for the right time.
This latest variant was discovered by the researchers last week after noticing an increase in traffic scanning ports 2323 and 23. Small increases wouldn’t be of concern, but hundreds of thousands of unique IP addresses originating from Argentina — in less than a day — caught their attention.
After investigation, the researchers found the devices were scanning the ports looking for vulnerable devices manufactured by ZyXEL Communications. They were using two default telnet credential combinations, admin/CentryL1nk and admin/QwestM0dem, to gain root privileges on the targeted devices.
It’s expected this Mirai variant was upgraded to exploit the vulnerability in ZyXEL PK5001Z modems identified as CVE-2016-10401.
“ZyXEL PK5001Z devices have zyad5001 as the su (superuser) password, which makes it easier for remote attackers to obtain root access if a non-root account password is known (or a non-root default account exists within an ISP’s deployment of these devices),” the vulnerability description reads.
Are you concerned by Mirai variants and the growth of IoT botnets? Share your thoughts in the comments.