Get in Touch
Indiscriminate, opportunistic attacks.
The Mirai botnet was discovered targeting 22 different known vulnerabilities within D-Link, Zyxel and Netgear devices for the purposes of distributed denial-of-service (DDoS) attacks intended to disrupt or stall targeted networks. Signs of a compromise within a device have been identified as persistent issues with slow connection, device overheating and significant changes within the device’s configuration.
The list of known vulnerabilities that include a wide range of techniques are as follows:
- EnGenius EnShare
- MVPower DVR
- Netgear DGN1000
- Vacron NVR
- MediaTek WiMAX
Vendors of the devices are urging users to upgrade to newer models as many of the targeted models are no longer supported by security updates.
If Mirai successfully exploits a device, it will gain full control to launch disruptive DDoS attacks on other victim systems. Victim systems in the control of Mirai will experience significant drops in performance and potentially a complete loss of functionality.
A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against known threats. EDRs can alert system users of potential breaches and prevent further progress prior to the malware being able to implement significant damage.
D-Link, Zyxel and Netgear devices.
Containment, Mitigations & Remediations
It is strongly recommended that the following mitigation steps are adhered to in order to harden the network defences against all variations of botnet infections:
- Update Internet of Things (IoT) devices to the latest product versions
- Reconfigure the factory setting log-in keys, as well as the default username and password of IoT devices
- Implement network segmentation to ensure that all IoT devices are on a separate network from systems critical for daily operations
- Use and maintain anti-virus software
- Implement an official password policy.
Moreover, as previously stated, one main method of reducing the threat of the Mirai botnet is to detect it in the early stages, whilst implementing an effective and monitored EDR solution. An effective EDR tool will increase detection of malicious attempts of Mirai botnet compromise and halt the malware’s progress if detected.
Indicators of Compromise
Mirai associated file hashes (SHA256):
Mirai associated domains:
- Mirai associated IP addresses:
Mirai associated URLs:
Regardless of the fact that the creators of the Mirai botnet malware were apprehended, the source code of the malware was subsequently released into the wild and, as such, Mirai and other botnet variants pose a significant threat to unprotected IoT devices and the associated networks.
Since being released on the dark web, the Mirai source code is continuously being altered by threat actors to create more advanced versions of the malware. To date, these have included Okiru, Satori, Masuta and PureMasuta. Due to the open access nature of the source code as well as IoT markets continuing to develop in notoriety, it is highly likely that further variants will continue to emerge, leading to the potential of future attack efforts.
The Mirai botnet was originally created by university students Josiah White, Paras Jha and Dalton Norman in 2016 and they have since been charged with its creation. As the creators published the code publicly it has been adopted and modified by threat actor groups.
T1584.005 – Compromise Infrastructure: Botnet