Security researchers discovered modified versions of the Mirai and Gafgyt Internet of Things (IoT) malware that are capable of targeting vulnerabilities affecting SonicWall’s Global Management System (GMS) and Apache Struts.
Earlier this month, Palo Alto Networks’ Unit 42 found a domain hosting a variant of the Mirai botnet containing exploits for 16 separate vulnerabilities. One of those flaws was an Apache Struts vulnerability associated with a major 2017 data breach — the first time security professionals observed Mirai targeting Apache Struts, a framework used for developing web applications.
The researchers’ analysis of Mirai led them to observe that the malicious domain previously resolved to a different IP address. Further investigation revealed that the IP address intermittently hosted a version of the Gafgyt botnet containing an exploit for CVE-2018-9866, a vulnerability affecting an older version of SonicWall’s GMS.
Mirai and Gafgyt Signal Shift Toward Enterprise-Level Attacks
Both Mirai and Gafgyt have been around for some time. Even so, Unit 42 detected three new attack campaigns from the two malware families in May 2018. The offensives also leveraged vulnerabilities affecting IoT devices, but those products were all consumer-oriented. The Unit 42 researchers posited that the addition of vulnerabilities targeting Apache Struts and SonicWall’s GMS could signal a shift toward attack campaigns targeting enterprise-level devices.
How to Defend Against IoT Malware
Security professionals can protect data privacy at the workplace by creating a dedicated incident response team to remediate vulnerabilities and disclose data breaches to the public. They should also consider investing in data protection solutions and conducting gap analyses to monitor the data generated by their employer’s IoT devices.
Finally, security personnel should aim to isolate IoT devices on their own network and establish access controls between these products and critical IT resources.
Sources: Palo Alto Networks, Palo Alto Networks(1)