As Internet of things (IoT) devices in homes, industrial environments, transportation networks and elsewhere continue to proliferate, so does the attack surface for malicious IoT network attackers. IoT attack activity in 2020 dramatically surpassed the combined volume of IoT activity observed by IBM Security X-Force in 2019.

Turning our attention to the factors behind this rise, this post examines data we collected, tracking activity by the number one IoT botnet nowadays, the Mozi botnet, and other IoT malware. We also provide steps that network defenders can follow to help defend against these threats, many of which leverage command injection (CMDi) attacks.

Mozi botnets drive 500% rise in IoT attacks

The infamous Mirai botnet that unleashed massive distributed denial-of-service (DDoS) attacks on major websites using millions of compromised devices in 2017 stands as a stark reminder of the power of IoT attacks, a power that continues to increase. In September 2020, IBM X-Force reported that IoT attacks we observed from October 2019 through June 2020 rose 400% when compared to the combined number of IoT attacks in the previous two years.

IoT devices have become part of everyday consumer and business activities, and threats in that space are driven by the availability of devices, most of which are poorly secured, and by prominent IoT botnets, such as Mozi and Mirai. It’s important to remember that source code from various IoT malware can be reused in other variants that may be detected as the same malware.

Monitored network attack metrics we gathered show a 500% increase in overall IoT attacks year over year. X-Force research has revealed that this spike is largely driven by Mozi botnet activity — a relatively new botnet that shares code overlap with Mirai. In 2020, this malware has accounted for 89% of the total IoT attacks detected for the year.

Figure 1: Trend in IoT attacks over the past three years (Source: IBM)

Mozi emerged in 2019, mostly targeting routers and cameras. The malware relies on the distributed hash table protocol to build a peer-to-peer network of bots that it can then leverage in DDoS attacks, payload execution and remote command execution.

Mozi has been extremely active in the last 18 months and continues to rank as the number one most active Mirai-type variant. The Mozi botnet currently controls approximately 438,000 hosts, which is determined by the count of unique Mozi URLs we are tracking. Each compromised host is instructed to hunt for new victim IoTs to infect while they await further instructions from the botnet’s command and control.

The Mozi botnet’s infrastructure in 2020 appears primarily operated through China, which accounts for hosting about 84% of its active domains.

Figure 2: Mozi botnet top attacking countries (Source: IBM MSS)

In terms of victims, Japan received the highest number of attacks, accounting for 87% of the total activity. The United States was a distant second, making up nearly 17% of the victims.

Figure 3: Mozi botnet most-attacked countries (Source: IBM MSS)

Seeing IoT malware rise significantly is in line with our prior projections that the growing IoT attack surface would continue to lure interest from both threat actor groups as well as individual malicious actors, resulting in increased risk to companies across the globe.

Other notable IoT botnets impacting organizations

While the Mozi botnet has overpowered IoT networks in 2020, several other historical botnets continue to be actively targeting the IoT landscape. X-Force intelligence analysts identified a major attack trend within our CMDi attack rules that began in July 2020 and continued through the year and into 2021. Nearly all IBM-observed IoT targeting attempted to use CMDi attacks to gain initial access to the device. If the targeted endpoint is an IoT device and is susceptible to these attacks, the payload is downloaded and executed.

X-Force analysis indicates this activity is associated with four variants of Mirai malware which exploit multiple vulnerabilities within several IoT devices: Mozi, Gafgyt, Echobot and Loli. All four of these malware types can be used to conduct DDoS attacks against targeted infrastructure as well as download additional payloads.

Figure 4: Unique malware URLs (Source: IBM MSS)


Echobot malware and its new payload of enterprise device attacks are especially virulent, specifically due to the large volume of exploits it attempts to execute as well as the large amount of processor architecture it affects, such as ARM/4/5/6/7, x86, MIPS, PPC and SuperH. Some of these vulnerabilities date back to 2003, to ones publicly disclosed as recently as December 2019. This could indicate that the malicious actors are purposely targeting legacy devices that are too old to upgrade due to compatibility issues but are still in use, as well as newer vulnerabilities that no patches exist for. IBM X-Force has published information about Mirai variants shifting to enterprise targets since 2019, and this activity further underlines that trend.


ZeroShell takes advantage of CVE-2019-12725, a vulnerability within the GNU/Linux firewall distribution. ZeroShell malware can be used to conduct a DDoS attack against targeted infrastructure as well as to download additional payloads. Though CVE-2019-12725 was discovered in July 2019, X-Force analysts observed adversaries attempting to exploit unpatched, vulnerable ZeroShell Linux Router software at scale beginning in mid-July 2020. Specifically, this trend began on July 15, 2020, and was initially very significant in volume. Toward the end of July, the attacks began to wane. However, we detected a second resurgence in late September 2020 with elevated levels of ZeroShell malware activity.


Gafgyt was developed in part from the leaked Mirai source code and uses password bruteforcing with a pre-generated list of passwords to infect devices. Gafgyt historically targeted primarily Linux-based devices, unlike Mirai which targets a broader set of architectures. This botnet is known to be a platform that is sold as a back end to attackers who use different nodes in it to interact and launch DDoS attacks, sometimes initiating those from rogue mobile devices.


Loli is a variant that exploits ThinkPhP, which is not an IoT device but rather a web platform. Loli is a known variant of Mirai that was modified to attempt exploitation of an enterprise application rather than a consumer-based IoT device. Additionally, the Loli variant exploits a Remote Code Execution vulnerability, CVE-2018-20062, that can allow attackers full access to the victim host.

Fighting back

As IoT attacks continue to surge and threaten enterprise and home networks alike, several security practices can assist network defenders and users in combatting these threats, making them less effective for attackers and — hopefully — leading to decreased IoT attack rates in the future. X-Force threat intelligence recommends implementing the following measures to decrease the opportunities for IoT botnet attackers to leverage your devices:

  • Change default IoT device settings when installing a new device. Default passwords and settings provide an open door for IoT botnet attackers, and a significant percentage of such operations could be stopped by implementing new, strong passwords on devices. Multifactor authentication options for IoT devices can additionally harden the attack surface from botnet operations.
  • Employ penetration testing. Command injection attacks provide the way in for many of the IoT botnets described above, and a robust penetration program is the most effective way to identify command weaknesses and promptly implement fixes. X-Force Red provides application testing services that can help organizations identify and prioritize application flaws that might lead to command injection attacks.
  • Implement a robust patch management program. Many of the top Common Vulnerabilities and Exposures exploited in 2020 were linked to IoT botnet attacks, underscoring the importance of robust patching to prevent future IoT attacks. ZeroShell in particular widely exploited CVE-2019-12925 to gain access to conduct DDoS attacks, and applying a fix for this vulnerability has the potential to decrease the volume of future ZeroShell attacks.

Since command injection is the primary attack vector, the following are some best practices to mitigate command injection attacks:

  • Most attack strings are purposely meant to exploit an application first, so you must ensure your patch management solution is robust.
  • As with SQL injection, sanitizing expected user input is a key prevention method. Form and URL data need to be validated for potentially malicious characters. A white list of characters allowed for use in passwords should be created to validate user input. Note, however, that limiting characters can diminish the strength of account credentials, so password fields should allow a full range of alphanumeric characters. Just never allow shell code operators in commands or database queries that are concatenated using user input.
  • Web applications and their components should run with strict permissions that never allow any operating system command execution.
  • Vulnerabilities may exist within some web development languages, including PHP and Perl. A more secure solution would be to avoid the use of a shell interpreter by using pcntl_fork and pcntl_exec within PHP, and similar calls within other languages.
  • Implement an IoT/operational technology (OT) security solution such as IBM X-Force Threat Management (XFTM) services for IoT and OT environments.

To keep up with X-Force’s threat intelligence blogs, visit To drill down into more information about threats, join X-Force Exchange today.

More from Advanced Threats

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Hive0051 goes all in with a triple threat

13 min read - As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051's use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today