The Mirai Threat is Alive and Well


The Mirai Threat is Alive and Well

The Internet of Things (IoT) has been around for decades, but in 2015, it came to smartphones. By 2016, many households had begun using smart devices, cameras, and DVRs that connected to their home Wi-Fi networks and could be managed from anywhere. All is well and good if you’ve secured these devices. Unfortunately, users’ security was not as advanced as the devices, which created environments ripe for exploitation. The result was massive DDoS attacks caused by the Mirai botnet.

It’s a cautionary tale for any company with an active website and no DDoS mitigation solutions. Even if your devices and networks are secure, you aren’t protected from the poor security practices of some guy with a DVR and a smart thermostat. Botnets like Mirai take over these unsecured devices and create large networks of connected devices that can be directed to attack your website. Fortunately, there are ways to protect yourself.

Simple but Effective

When Mirai malware first appeared in 2016, it quickly became a big problem for businesses and individual users alike when it took down internet access for millions of people. Originally designed to cause DDoS attacks that would give its creators an edge in Minecraft, it didn’t take long for the malware to be used for other things. Mirai attacked OVH and Krebs on Security later in 2016, two events that were unprecedented in size for an attack of its kind. Security experts believe Mirai used 145,000 devices to launch a 1Tbps attack. For context, an average DDoS attack in 2021 was 9.15 Gbps and 5.17 Gbps in 2022.

Many people, once they’ve purchased an IoT device, do not take basic security precautions, such as changing the device’s password or username. Mirai was able to compromise unsecured devices by scanning the web for IoT devices and then accessing them with default passwords, which are sometimes listed in databases on the dark web. Eventually, the creators posted the code on an open-source forum, which led to an increase in similar attacks as others added to the malware.

Mirai’s Children are Growing

Since Mirai’s code appeared online, it has been used to create many similar (and in some cases, improved) botnets. In February 2023, it was reported that a botnet was infecting Linux servers through brute-force attacks. Over 6 months, this V3G4 Mirai variant exploited 13 vulnerabilities, embedding itself into poorly protected devices and enabling remote code execution. 

Another recent Mirai descendant is Medusa, which is an old type of malware with new capabilities. This version of Medusa is built on Mirai code, which has given the older DDoS attack new Linux-targeting and DDoS abilities. Perhaps most alarmingly, this version installs ransomware. However, Medusa appears to be imperfect at this time due to its inability to demand ransom effectively. Instead of encrypting files, sending a ransom message, and extorting money, Medusa has been observed to encrypt files and then delete them. This makes demanding a ransom rather difficult.

V3G4 and Medusa are the most dangerous Mirai variants out there at this time, but there are almost certainly many more looking for your company’s security flaws and vulnerabilities. Users who do not adequately secure their devices and files risk infiltration or, if they are unlucky enough to experience a Medusa attack, complete obliteration of their data. So, protection is essential to keep your data secure and your organization running smoothly. Additionally, if your devices are turned against you or your website, the DDoS attack that will follow could be devastating to your business operations.

Managing the Mirai Threat

To protect yourself from DDoS attacks and zombie devices, you need DDoS mitigation solutions. Mirai-style botnets can wreak havoc on your environment, so having a defense that filters web traffic, detects and redirects unusual requests, and analyzes attacks can prevent an attack or minimize the damage if one succeeds. Monitoring and logging web traffic in the event of an attack can provide valuable information that will enable you to prevent further DDoS attacks. 

Consider your network and processing capacities as well. Implementing cloud-based mitigation services can help prevent attacks by ensuring that your website has enough capacity to handle the unusually large number of requests and packets that come in during a DDoS attack. By using cloud services for this, you reduce your costs and increase your flexibility because you avoid data caps.

When looking for mitigation solutions, be sure to research the time to mitigation. You should invest in an always-on solution that offers preemptive detection, which will usually reduce the time between the initial traffic surge and solving the problem. As a rule, a longer time taken to stop an attack means there will be a longer recovery time for your business.

Mirai and its descendants are here to stay, so you need to be on top of your DDoS mitigation and device security. By implementing appropriate solutions, you can reduce your risk of attack as well as the long-term impact on your business.