Unit 42 Finds New Mirai and Gafgyt IOT/Linux Botnet Campaigns


Unit 42 Finds New Mirai and Gafgyt IOT/Linux Botnet Campaigns (Jul 20, 2018)

Palo Alto Networks Unit 42 researchers have published a report discussing multiple malware campaigns in which the malware is based off of the publicly available source code of the “Mirai” and “Gafgyt” Distributed Denial-of-Service (DDoS) malware. Researchers analyzed three campaigns. The first campaign is using the “Omni” malware, which is a Mirai variant, that was found to be using two exploits, registered as “CVE-2018-10561” (authentication bypass) and “CVE-2018-1562” (command injection). The second campaign involves the “Okane” malware that conducts brute force attacks that target “Camtron IP” cameras, “Control4” devices, and “ADC FlexWave Prism” devices that use default credentials. The third campaign that was analyzed was the “Hakai” malware, which is based off of Gafgyt, that was found to be launching Layer 7 (HTTP flood) DDoS attacks.

Recommendation: The Mirai botnet takes advantage of internet connected devices which have been lazily configured, leaving the door wide open to the world. Any device that connects to the internet must be treated as a security liability, and default usernames / passwords must be disabled. Organizations and defenders should be aware of all their internet facing assets and have them under strict monitoring. Denial-of-service attacks can potentially cost your company loss in revenue because severe attacks can shut down online services for extended periods of time. In addition, the availability for threat actors to compromise vulnerable devices, and purchase DDoS for hire is a continually evolving threat. Mitigation technique can vary depending on the specifics of the attack. For example, in the case of BlackNurse, which can disrupt enterprise firewalls, ICMP type 3 traffic should be blocked, or at least rate limited. Furthermore, a business continuity plan should be in place in the unfortunate case that your company is the target of a significant DDoS attack.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.