IoT worms Mirai and Gafgyt get an upgrade

It’s a well worn adage in information security that ‘worms never die’. Studying traffic across the internet shows this is all too often true, with evidence that worms like Nimda and code red from the 90s continue to fester on ancient, unpatched servers looking for new victims. The world of cheap rushed to market IoT devices is ripe for long lasting worm infestations in the form of botnets of never updated firmware.

The last few years have seen record breaking DDoS attacks from these very same cheap devices as worm creators target well known vulnerabilities to plant bot code on thousands, if not millions of mass market Linux hosts. Abandoned by their manufacturers virtually as soon as they ship, and never managed by their owners so long as they keep doing what they are supposed to do.

Even if those same owners cared to take defensive measures, in many cases the devices are simply flawed. Issues like hard coded default passwords and open ports that cannot be managed through any user interface provided to the customer are common targets for exploitation. The Mirai worm is arguably the most well known as the source of massive attacks in the past. Things have been quiet on that front in the recent past, but research from Palo Alto networks has uncovered a new variant of both the Mirai and Gafgyt worm families that expand their attack profile.

Most notably the Mirai variant now includes an attack on the Apache Struts vulnerability used in the widely publicized Equifax data breach from 2017. Also of concern is the inclusion in Gafgyt of an attach on commercial firewall vendor Sonicwall’s Global Management System. Both of these inclusions indicate a move away from consumer devices to bandwidth rich corporate environments. Although major corporations take extensive measures to update servers and secure their networks from these kinds of attacks, there are vastly more smaller businesses using these same services that are much less proactive in their patching and network management capabilities.

This Mirai variant, as with previous ones, targets a number specific vulnerabilities. The worm seeks out targets that are likely to host a specific vulnerability and then launches a target attack in order to deliver a tailored payload for that particular device class. The vulnerabilities included in this variant include:

  • Apache Struts

  • Linksys E-Series

  • Vacron NVRs

  • Some D-Link devices

  • CCTV DVRs from 70 vendors

  • EnGenius EnShare IoT Gigabit Cloud Service

  • AVTECH IP Camera/NVR/DVR Devices

  • Zyxel routers

  • NetGain Enterprise Manager

  • NUUO NVRmini 2

  • DGN1000 Netgear routers

  • MVPower DVRs

  • Dasan GPON routers

Some of these attacks are carried forward from previous versions, a they are still very much valid targets. As for the Gafgyt variant, Palo Alto has this to say:

For part of the month of August 2018, that same domain resolved to a different IP address 185[.]10[.]68[.]127. At that time we found that IP hosting samples of Gafgyt containing an exploit for a recently disclosed SonicWall vulnerability (CVE-2018-9866) affecting older, unsupported versions of SonicWall Global Management System (GMS) (8.1 and older) that is not present in currently supported versions.

This variant was discovered very shortly after the publication of the exploit in the Metasploit toolkit, and has been acknowledged by Sonic wall in an advisory notification to their customers.

While the major vendors such as Apache and Sonicwall have provided updates to patch against these attacks, many of the consumer products don’t get that kind of attention. These worms will continue to thrive until we come up with a much more comprehensive approach to IoT security. Given the need to standardize that across countless low cost vendors, it seems an insurmountable problem.

The best things consumers and small businesses can do is to purchase devices from manufacturers that have an ongoing investment in repeat customers, name brand smart home products and commercial service providers are incentivized to keep their products up to date and secure. Customers need to ensure those updates are applied, and home users would be well advised to invest in some form of network monitoring device, such as the Domotz FingBox that can proactively watch for known attacks and intrusions.