Mirai Malware Targeting the Enterprise

June 24, 2019

Mirai is back with a vengeance. The infamous malware that crippled global DNS provider Dyn, French Web host OVH and security journalist Brain Kreb’s Web site with botnets of infected home routers, baby monitors and other IoT devices is now infecting enterprise network equipment, according to a recent Palo Alto Networks blog and Network Computing article.

Mirai has already shown how much havoc it can wreak. The October 2016 Dyn attack disrupted access to Amazon, Airbnb, Netflix, Spotify Yelp, The Guardian, CNN and scores of other major Web sites and services across Europe and North America. Mirai DDOS attacks also crippled Rutgers University’s network and Internet access across the African country of Liberia.

After the initial 2016 attacks, Mirai’s source code found its way online, including GitHub, with third-party variants continuing to cause trouble long after its original perpetrators were arrested.

Even More Lethal

Mirai seeks out thousands of routers and IoT devices exposed to the Internet and configured with default vendor usernames and passwords, infecting and assembling them into botnets that flood and cripple intended targets with massive volumes of traffic.

The current strain adds a host of new infection targets, including enterprise SD-WAN appliances, wireless presentation systems, and digital signage. It has added several new default device usernames and passwords for its brute force IoT device attacks and can infect unpatched and misconfigured devices via other publicly available exploits even if default logins have been changed. Access to copious enterprise bandwidth may enable Mirai to launch even more devastating attacks than before.

Protecting your network from infection isn’t rocket science. Inventory all networked IoT devices frequently; change all default login usernames and passwords; and keep IoT devices, firewalls, VPN’s, and anti-malware software up to date with current security patches. Even if you succeed in preventing your network from joining a Mirai botnet, however, you still have to worry about Mirai-induced DDOS attacks.

How Cato Protects Your Network

Cato helps you counter both Mirai infection by slashing the attack surface. The Cato Sockets are hardened devices with all unnecessary services disabled.  Sockets also only accept traffic from authorized sources. And with SD-WAN appliances, there’s a chance IT will misconfigure and expose them to the Internet; no so with Cato Sockets, which are managed by Cato personnel who enforce secure configuration and updates.

Cato also prevents malware, like Mirai, from entering your SD-WAN or spreading across sites with its enterprise-grade network security stack. Cato Security Service currently including a next-generation firewall, secure Web gateway, anti-malware, IPS, and managed threat detection and response.

Cato can also counter Mirai induced botnet DDOS attacks with its extensive built-in DDOS sustainability and protection. Cato POPS have been designed with the elasticity and scale to handle massive volumes of traffic, including that of DDOS attacks. They’re also protected with a host of specific anti DDOS measures and can reassign targeted sites to unaffected IP addresses if necessary. Only authorized sites and mobile users can connect and send traffic to the Cato Cloud backbone.

No doubt Mirai and attacks like it will continue to gain sophistication, incorporating more networked devices, including those in the enterprise, and adding more exploits. A combination of effective security measures and the inherent security of the Cato Cloud can help keep the beast at bay.

Dave Greenfield

Dave Greenfield

Dave Greenfield is a veteran of IT industry. He’s spent more than 20 years as an award-winning journalist and independent technology consultant. Today, he serves as a secure networking evangelist for Cato Networks.