A new variant of the infamous Mirai botnet has been discovered that for the first time specifically targets enterprise internet of things (IoT) devices.

The Mirai botnet infects smart, internet-connected devices in order to enslave them into a vast network of bots used to conduct distributed denial of service attacks (DDoS). It has spawned a number of variants since its source code was first published online in 2016, however until now these have focused on consumer devices.

This new variant, identified by researchers for Palo Alto Network Unit 42, features multiple new exploits that allow it to target devices developed and marketed specifically for enterprise applications. This includes widely used LG Supersign TVs and WePresent WiPG-1000 Wireless Presentation systems.

It is thought that the creators of this Mirai botnet variant have chosen to target enterprise users due to the increased bandwidth available through corporate systems – enabling larger-scale and more devastating DDoS attacks. It also indicates changes both in the use of IoT devices and the motives of attackers.

“This evolution of IoT based botnets targeting the enterprise makes sense,” commented Lane Thames, senior security researcher at Tripwire.

“Enterprises are rapidly adopting IoT technologies, such as the WePresent system and the LG Supersign TV, and vulnerable IoT devices within enterprise networks increases attacker motivation due to more lucrative financial returns via extortion, intellectual property theft and such.”

Enterprise IoT security issues highlighted by Mirai botnet variant

While it is often assumed that enterprise technologies are more secure than their consumer equivalents, this Mirai botnet variant highlights that this is not, in fact, the case. Enterprise IoT devices are often far less secure than they should be.

“Hidden deeper in these reports is something much scarier to me, and it is the fact that we in the computing (digital) industry still have a long way to go in terms of maturing our secure development practices,” said Thames.

“Particularly, the two vulnerabilities affecting WePresent and the Supersign TV are trivial to exploit, but, more concerning, is that they are trivial to prevent. These two vulnerabilities are a classic case of a web application not sanitising user input (input that a user/attacker can control when interacting with the web application). These two vulnerabilities are very basic and easily addressed with modern development frameworks.”

The variant highlights the need for far greater commitment to IoT security.

“Organisations developing web-based products should have mechanisms in place to catch such low hanging ‘fruit’ as this during their development and QA processes,” he added.

“Don’t get me wrong, developing secure software is hard, and there is no such thing as perfect security. But, we should have graduated beyond this level of trivialness by now.”

For cybersecurity professionals, this latest variant is yet another challenge that is unlikely to be easily overcome.

“Unfortunately, cyber defenders are fighting an uphill battle, and scale is one of our biggest challenges,” he said.

“Countless systems are being developed and rushed to market and this is coupled with a growing talent pool of developers and engineers that have not been trained in any way around cybersecurity along with businesses that don’t understand the need for secure product development. Mirai and likely many other types of IoT based botnets are here to stay for a very long time.”