Mirai-based botnet updates ‘arsenal of exploits’ on routers, IoT devices

A Mirai-based malware botnet has expanded its payload arsenal to aggressively target routers and other internet-facing devices, researchers have discovered.

The variant, called IZ1H9, was observed by researchers at Fortinet exploiting vulnerabilities in products from nine different brands, including D-Link, Netis, Sunhillo, Geutebruck, Yealink, Zyxel, TP-Link, Korenix and TOTOLINK. “Peak exploitation” of the vulnerabilities occurred on September 6, the researchers believe.

“This highlights the campaign's capacity to infect vulnerable devices and dramatically expand its botnet through the swift utilization of recently released exploit code, which encompasses numerous CVEs,” they wrote.

The IZ1H9 variant was discovered in August 2018, two years after Mirai’s original botnet was first seen infecting Linux-based devices. Mirai has been used in some of the most disruptive distributed denial-of-service (DDoS) attacks recorded, including a 2016 incident that brought down websites including Twitter, Reddit and Netflix.

Callie Guenther, senior manager of cyber threat research at the cybersecurity company Critical Start, said the scope of the targeted devices raises alarms.

“Given that IZ1H9 is targeting a multitude of devices and vulnerabilities, it has the potential to amass a vast botnet,” she said. “This means that its DDoS attacks could be especially potent, capable of taking down high-profile websites or critical online services.”

DDoS attacks work by overwhelming targeted websites with junk traffic, often coming from infected devices that together form a botnet.

As recent geopolitical events have shown, though DDoS attacks seldom inflict lasting damage they do have the potential to make difficult scenarios even worse for victims. After Hamas’ surprise attack on Israel on Saturday, for example, hacktivists launched cyberattacks on entities connected to both sides of the war.

“At a time of great geopolitical unrest, increased DDoS attacks are likely,” said John Bambenek, Principal Threat Hunter at the IT management company Netenrich. “With these changes, more vulnerable devices are out there and this is purely a math game. More nodes in the botnet mean more attacks and more outages.”

On Tuesday, Amazon, Google and Cloudflare said they detected the largest DDoS attacks on record due to a newly discovered vulnerability, which they called an HTTP/2 Rapid Reset Attack.

Additional reporting by Jonathan Greig.