New variant Mirai malware abuses weak passwords IoT devices

Trend Micro security researchers have discovered a new variant of the Mirai malware that focuses on IoT devices. The malware, called Miori, wants to integrate those devices into a larger botnet and launch DDoS attacks. That’s what Security Intelligence reports.

The malware was discovered at the beginning of December. Miori is abusing an exploit in the ThinkPHP framework. The remote code execution (RCE) vulnerability allows cyber criminals to infect machines with Linux and execute Miori. A notification appears on the victim’s device.

When the attackers verify that a system has been infected via the command and control (C&C) server, they use the Telnet protocol and misuse weak or commonly used passwords to carry out brute-force attacks on other IP addresses. A screenshot of researchers looking at Miori shows a number of passwords used in recent attack campaigns. These included ‘admin123’, ‘root’ and ‘default’.

Mirai

Miori is just one of the many variations of Mirai that have been discovered since the original malware appeared. In September 2016, for example, millions of users lost temporary access to the Internet after the malware turned its attention to Dyn. Dyn provides a significant portion of the backbone of the Internet. Large telecommunications companies in Germany and the United Kingdom have suffered similar attacks based on Mirai in recent months.

Besides Miori there are also Shinoa, APEP and IZ1H9 variants on Mirai. These malware variants use the same RCE exploit to find and infiltrate machines with open-source-based operating systems.

On Security Intelligence, security experts recommend not using weak or common passwords to protect IoT devices. It is recommended that you use passwords that are 12 characters or longer, backup the passwords and use a password manager. In addition, the use of multifactor authentication is recommended. These add an extra layer of security to connected devices, which can help protect against emerging threats.