As Internet of things (IoT) devices in homes, industrial environments, transportation networks and elsewhere continue to proliferate, so does the attack surface for malicious IoT network attackers. IoT attack activity in 2020 dramatically surpassed the combined volume of IoT activity observed by IBM Security X-Force in 2019.

Turning our attention to the factors behind this rise, this post examines data we collected, tracking activity by the number one IoT botnet nowadays, the Mozi botnet, and other IoT malware. We also provide steps that network defenders can follow to help defend against these threats, many of which leverage command injection (CMDi) attacks.

Mozi Botnets Drive 500% Rise in IoT Attacks

The infamous Mirai botnet that unleashed massive distributed denial-of-service (DDoS) attacks on major websites using millions of compromised devices in 2017 stands as a stark reminder of the power of IoT attacks, a power that continues to increase. In September 2020, IBM X-Force reported that IoT attacks we observed from October 2019 through June 2020 rose 400% when compared to the combined number of IoT attacks in the previous two years.

IoT devices have become part of everyday consumer and business activities, and threats in that space are driven by the availability of devices, most of which are poorly secured, and by prominent IoT botnets, such as Mozi and Mirai. It’s important to remember that source code from various IoT malware can be reused in other variants that may be detected as the same malware.

Monitored network attack metrics we gathered show a 500% increase in overall IoT attacks year over year. X-Force research has revealed that this spike is largely driven by Mozi botnet activity — a relatively new botnet that shares code overlap with Mirai. In 2020, this malware has accounted for 89% of the total IoT attacks detected for the year.

Figure 1: Trend in IoT attacks over the past three years (Source: IBM)

Mozi emerged in 2019, mostly targeting routers and cameras. The malware relies on the distributed hash table protocol to build a peer-to-peer network of bots that it can then leverage in DDoS attacks, payload execution and remote command execution.

Mozi has been extremely active in the last 18 months and continues to rank as the number one most active Mirai-type variant. The Mozi botnet currently controls approximately 438,000 hosts, which is determined by the count of unique Mozi URLs we are tracking. Each compromised host is instructed to hunt for new victim IoTs to infect while they await further instructions from the botnet’s command and control.

The Mozi botnet’s infrastructure in 2020 appears primarily operated through China, which accounts for hosting about 84% of its active domains.

Figure 2: Mozi botnet top attacking countries (Source: IBM MSS)

In terms of victims, Japan received the highest number of attacks, accounting for 87% of the total activity. The United States was a distant second, making up nearly 17% of the victims.

Figure 3: Mozi botnet most-attacked countries (Source: IBM MSS)

Seeing IoT malware rise significantly is in line with our prior projections that the growing IoT attack surface would continue to lure interest from both threat actor groups as well as individual malicious actors, resulting in increased risk to companies across the globe.

Other Notable IoT Botnets Impacting Organizations

While the Mozi botnet has overpowered IoT networks in 2020, several other historical botnets continue to be actively targeting the IoT landscape. X-Force intelligence analysts identified a major attack trend within our CMDi attack rules that began in July 2020 and continued through the year and into 2021. Nearly all IBM-observed IoT targeting attempted to use CMDi attacks to gain initial access to the device. If the targeted endpoint is an IoT device and is susceptible to these attacks, the payload is downloaded and executed.

X-Force analysis indicates this activity is associated with four variants of Mirai malware which exploit multiple vulnerabilities within several IoT devices: Mozi, Gafgyt, Echobot and Loli. All four of these malware types can be used to conduct DDoS attacks against targeted infrastructure as well as download additional payloads.

Figure 4: Unique malware URLs (Source: IBM MSS)


Echobot malware and its new payload of enterprise device attacks are especially virulent, specifically due to the large volume of exploits it attempts to execute as well as the large amount of processor architecture it affects, such as ARM/4/5/6/7, x86, MIPS, PPC and SuperH. Some of these vulnerabilities date back to 2003, to ones publicly disclosed as recently as December 2019. This could indicate that the malicious actors are purposely targeting legacy devices that are too old to upgrade due to compatibility issues but are still in use, as well as newer vulnerabilities that no patches exist for. IBM X-Force has published information about Mirai variants shifting to enterprise targets since 2019, and this activity further underlines that trend.


ZeroShell takes advantage of CVE-2019-12725, a vulnerability within the GNU/Linux firewall distribution. ZeroShell malware can be used to conduct a DDoS attack against targeted infrastructure as well as to download additional payloads. Though CVE-2019-12725 was discovered in July 2019, X-Force analysts observed adversaries attempting to exploit unpatched, vulnerable ZeroShell Linux Router software at scale beginning in mid-July 2020. Specifically, this trend began on July 15, 2020, and was initially very significant in volume. Toward the end of July, the attacks began to wane. However, we detected a second resurgence in late September 2020 with elevated levels of ZeroShell malware activity.


Gafgyt was developed in part from the leaked Mirai source code and uses password bruteforcing with a pre-generated list of passwords to infect devices. Gafgyt historically targeted primarily Linux-based devices, unlike Mirai which targets a broader set of architectures. This botnet is known to be a platform that is sold as a back end to attackers who use different nodes in it to interact and launch DDoS attacks, sometimes initiating those from rogue mobile devices.


Loli is a variant that exploits ThinkPhP, which is not an IoT device but rather a web platform. Loli is a known variant of Mirai that was modified to attempt exploitation of an enterprise application rather than a consumer-based IoT device. Additionally, the Loli variant exploits a Remote Code Execution vulnerability, CVE-2018-20062, that can allow attackers full access to the victim host.

Fighting Back

As IoT attacks continue to surge and threaten enterprise and home networks alike, several security practices can assist network defenders and users in combatting these threats, making them less effective for attackers and — hopefully — leading to decreased IoT attack rates in the future. X-Force threat intelligence recommends implementing the following measures to decrease the opportunities for IoT botnet attackers to leverage your devices:

  • Change default IoT device settings when installing a new device. Default passwords and settings provide an open door for IoT botnet attackers, and a significant percentage of such operations could be stopped by implementing new, strong passwords on devices. Multifactor authentication options for IoT devices can additionally harden the attack surface from botnet operations.
  • Employ penetration testing. Command injection attacks provide the way in for many of the IoT botnets described above, and a robust penetration program is the most effective way to identify command weaknesses and promptly implement fixes. X-Force Red provides application testing services that can help organizations identify and prioritize application flaws that might lead to command injection attacks.
  • Implement a robust patch management program. Many of the top Common Vulnerabilities and Exposures exploited in 2020 were linked to IoT botnet attacks, underscoring the importance of robust patching to prevent future IoT attacks. ZeroShell in particular widely exploited CVE-2019-12925 to gain access to conduct DDoS attacks, and applying a fix for this vulnerability has the potential to decrease the volume of future ZeroShell attacks.

Since command injection is the primary attack vector, the following are some best practices to mitigate command injection attacks:

  • Most attack strings are purposely meant to exploit an application first, so you must ensure your patch management solution is robust.
  • As with SQL injection, sanitizing expected user input is a key prevention method. Form and URL data need to be validated for potentially malicious characters. A white list of characters allowed for use in passwords should be created to validate user input. Note, however, that limiting characters can diminish the strength of account credentials, so password fields should allow a full range of alphanumeric characters. Just never allow shell code operators in commands or database queries that are concatenated using user input.
  • Web applications and their components should run with strict permissions that never allow any operating system command execution.
  • Vulnerabilities may exist within some web development languages, including PHP and Perl. A more secure solution would be to avoid the use of a shell interpreter by using pcntl_fork and pcntl_exec within PHP, and similar calls within other languages.
  • Implement an IoT/operational technology (OT) security solution such as IBM X-Force Threat Management (XFTM) services for IoT and OT environments.

To keep up with X-Force’s threat intelligence blogs, visit To drill down into more information about threats, join X-Force Exchange today.

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

4 min read

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

4 min read

Detections That Can Help You Identify Ransomware

12 min read - One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

12 min read

How to Report Scam Calls and Phishing Attacks

5 min read - With incidents such as the Colonial Pipeline infection and the Kaseya supply chain attack making so many headlines these days, it can be easy to forget that malicious actors are still preying on individual users. They're not using ransomware to do that so much anymore, though. Not since the rise of big game hunting, anyway. This term marks ransomware actors' shift away from attacks against individual users and towards operations targeting large enterprises, noted CNBC. But attacks like phishing and…

5 min read