Enterprise wireless presentation systems and signage TVs are being attacked by the latest Mirai variant, according to new research from Palo Alto Networks’ Unit 42 team.
Previously, the threat actors behind Mirai have mostly focused on attacking vulnerable consumer IoT devices, but there are benefits to be gained from attacking enterprise IoT devices. A successful attack will give the attackers greater bandwidth to use in DDoS attacks.
Exploits have now been included for LG Supersign TVs and Wepresent WiPG-1000 Wireless Presentation systems, both of which are used by enterprises. LG Supersign Tvs and the LG SuperSignEZ CMS are being attacked using an exploit for the CVE-2018-17173 improper parameter handling RCE vulnerability. The Wepresent WiPG-1000 CommandInjection vulnerability is being used to attack the wireless presentation system. Both of these vulnerabilities were publicly disclosed some time ago, although until now, they have not previously been weaponized and used in attacks.
This is not the first time that enterprises have been targeted. In 2018, Mirai started targeting enterprises using an exploit for an Apache Struts vulnerability. The same vulnerability that was exploited in the attack on Equifax.
Major Mirai Update
In total 27 exploits are now being used by Mirai, 11 of which are new additions. Multiple vulnerabilities are now being used to attack routers, network storage devices, IP cameras, DVRs and NVRs.
Brute force attacks have also increased and Palo Alto reports that four new sets of credentials have been added to gain access to vulnerable devices that have not had their default credentials changed. They are: admin:huigu309; root:huigu309; CRAFTSPERSON:ALC#FGU; and root:videoflow.
Whether access is gained using brute force tactics or exploits of vulnerabilities, the end result is the same. The Mirai payload is downloaded and the devices are added to the Mirai botnet and are used for DDoS attacks.
All Enterprises should ensure that default credentials are immediately changed on all IoT devices. Customers of Palo Alto Networks are protected against the exploits used by Mirai and the IPs/URLs used in the latest campaign.