Mirai’s already claimed responsibility for one of the biggest Internet outages in history, knocking Twitter and several other major services offline last year. The source code for the malware is now open-source, so it’s attracting new attention from opportunistic cybercriminals attempting to amass gigantic botnets.
Mirai infects Internet-connected “smart” devices such as DVRs, webcams and thermostats. Recently, a new strain has been targeting broadband routers from manufacturers including Huawei. Security researcher Dale Drew, chief security strategist at broadband provider CenturyLink, told Ars Technica that over 90,000 Huawei devices – accompanied by around 10,000 others – have been networked into a dormant Mirai botnet.
So far, the malware’s operator is yet to use the devices for anything malicious. Since first being observed a fortnight ago, the network has done nothing but expand. The operator is scanning the Internet to identify, infect and connect as many vulnerable devices as possible. In the majority of instances, it’s the popular Huawei EchoLife Home Gateway and Huawei Home Gateway routers on the receiving end of the attack.
READ NEXT: Skillsoft tackles digital skills shortage with new online courses
The massive sleeping botnet could be used to carry out a coordinated assault against online services. Once enough devices have been acquired, the operator could use the 100,000 infiltrated home routers to launch a crippling denial-of-service attack against major website providers. The result could be reminiscent of the impact of Mirai last October, when several high-profile companies found themselves impacted.
While security experts are aware of the botnet, their options to deal with it are limited. Some Internet infrastructure providers, including Century Link-owned Level 3, are already blocking communications between the devices.
This prevents the operator from using the infrastructure to control the botnet. However, many other providers continue to allow botnets to operate freely. Blocking the operator is only a short-term fix as new command-and-control servers can be quickly configured.
As is now the norm for IoT-based attacks, the root enabler of the botnet is weak security around the devices themselves. The operator is using a dictionary of over 65,000 default username and password combinations to obtain access to the wireless routers. Most consumers never change the factory credentials for built-in system accounts, leaving them vulnerable to remote tampering.
