Mirai — the worm responsible for infecting tens of millions of IoT devices which were used as a botnet to DDoS managed DNS infrastructure provider Dyn in October — has evolved, and its new form has been used to take down nearly one million internet routers in Germany. KrebsOnSecurity reports that the Mirai variant incorporates a new exploit code which takes advantage of a security flaw within particular routers.
“Security experts say the multi-day outage is a sign of things to come as cyber criminals continue to aggressively scour the Internet of Things (IoT) for vulnerable and poorly-secured routers, Internet-connected cameras and digital video recorders (DVRs),” KrebsOnSecurity says. “Once enslaved, the IoT devices can be used and rented out for a variety of purposes — from conducting massive denial-of-service attacks capable of knocking large Web sites offline to helping cybercriminals stay anonymous online.”
“Until this week, all Mirai botnets scanned for the same 60+ factory default usernames and passwords used by millions of IoT devices,” KrebsOnSecurity adds. “But the criminals behind one of the larger Mirai botnets apparently decided to add a new weapon to their arsenal, incorporating exploit code published earlier this month for a security flaw in specific routers made by Zyxel and Speedport.”
The vulnerability in the two routers seems to have been exacerbated by Deutsche Telekom’s failure to block non-German IPs from remotely managing the devices. The solution to cure Mirai-infected routers, according to Deutsche Telekom, is to disconnect the device to wipe its memory, and then reconnect, at which point a firmware update from DT will patch the vulnerability.
