Financial news

Old threats often grow new capabilities and that’s the case too with IZ1H9, as security experts have recently discovered a new version of the infamous Mirai botnet. The new variant exploits four distinct vulnerabilities in various devices, targeting Internet of Things (IoT) devices and Linux-based servers.

By exploiting these vulnerabilities, IZ1H9 can enlist compromised devices into botnets capable of launching distributed denial of service (DDoS) attacks, and committing automated fraud. Security experts found this when they were looking at an ongoing attack on April 10, 2023.

In this article, we’ll review Mirai and look at its new capabilities. We’ll also outline how organizations can secure IoT devices on their own – including through using botnet and fraud prevention solutions.

What is IZ1H9?

IZ1H9 is a botnet that’s been observed in countless cyberattacks. The botnet exploits vulnerabilities in exposed devices and servers that run the Linux operations system. This botnet is classified as a variant of the infamous Mirai botnet – a broader group of threats that leverage vulnerabilities on individual IoT devices to add compromised devices to botnets.

Once populated with compromised devices, these botnets are then capable of carrying out network-based attacks, the most common example being a denial of service (DDoS) attacks​. It’s called remote code execution (RCE), and it’s one of the last things an organization wants to see on its networks.

Though, in this instance, Unit 42 observed Mirai in April 10, it’s a threat that has been around since 2018. It’s commonly used by threat actors – with one specific group known to be using this exploit consistently since November of 2021. That group is believed to be responsible for multiple attacks, as indicated by the similiar malware shell script downloaders that were used in the attacks – including a common XOR decryption key as well as common infrastructure​​.

IZ1H9 Targets New Device Types

IZ1H9 continues to evolve, targeting new types of devices with an increasingly sophisticated approach. In the attack on April 10, researchers observed abnormal traffic where the attackers attempted to download and then execute a shell script downloader, known as lb.sh.

When the attacker executes this script, it automatically deletes logs to cover its tracks, and then deploys and executes several bot clients that can infect various Linux architectures. As a final stage, the script modifies the device’s iptable rules to block network connections from several ports, including telnet, SSH and HTTP.

This blocking effort means that victims cannot connect to and recover their compromised devices remotely. It gets worse. IZ1H9 carries out a preliminary check of the network part of the infected device’s IP address and doesn’t execute if it senses it’s on an IP that includes internet providers, government networks, and large tech firms.

It suggests that the threat group operating IZ1H9 wants to make sure the compromised device is long-lived by staying hidden from entities that could disrupt the botnet​.

The botnet client writes out the word “Darknet” to the system to announce its presence, and makes sure that the device is running just one instance of the malware: if a botnet process is already in existence, the botnet client will end the current process and begin once again.

Protecting IoT Devices Against Attacks

IoT devices are now essentially ubiquitous, appearing in everything from security cameras to monitoring devices on the factory floor. This ubiquity is matched by the easy way in which IoT devices are exploited, and Mirai is just one example. In fact, a recent report from Nokia found that IoT botnet activity has significantly increased.

Even if the ultimate target lies elsewhere, enterprises should still guard against IoT attacks for malicious purposes such as Distributed Denial of Service (DDoS) botnet attacks, because nobody wants their networks used for criminal purposes. Organizations can take several steps to accomplish this:

• Device inventory and management, including establishing a complete inventory of all IoT devices in use across the enterprise: their purpose, the data they handle, connectivity needs, etc.
• Secure device configuration that goes beyond default credentials that are easily exploitable – updating usernames and passwords, is a crucial first step.
• Regular software and firmware updates ensure that all IoT devices have the latest patches including security fixes that can protect against known vulnerabilities.
• Network segmentation can isolate IoT devices from other critical systems which limits the spread of a potential breach and prevent the devices from being used in a botnet for DDoS attacks.

All the other, common cybersecurity good practice rules still apply including the deployment of suitable firewalls and intrusion detection systems and using encrypted communication to protect data integrity and confidentiality.

Active Botnet and DDoS Protection

Of course, it’s not just the risk of devices being nefariously used for a botnet attack – organizations should also focus on protecting themselves against becoming victims of a botnet attack. Simple DDoS protection measures can go a long way, which includes rate limiting, IP filtering, anomaly detection, and more. Having a DDoS mitigation plan and partnering with a DDoS mitigation service is beneficial.

Companies can also implement bot management strategies to detect bot activity, determine its source, and understand the nature of the activity – but without blocking good bots such as search engine bots, or blocking in-house bots used for testing and automation.

Bot management uses challenge-based, and behavioral methods to detect bot traffic, including tasks that are difficult or impossible for bots to perform, such as CAPTCHA verification, JavaScript execution, or cookie acceptance.

The behavioral approach evaluates user activity and matches it against known patterns to classify it as a human, good bot, or bad bot. Combining these techniques provides more effective bot management, and there are also services available that automate this process​​.

A bot management solution that uses all three of the above approaches can effectively investigate each visitor, match it with a behavioral ID, and effectively protect against malicious bots while ensuring legitimate bots and human users can access the site without interruption. In doing so, it significantly mitigates the risk of DDoS attacks.

Comprehensive Planning is Key

IoT devices do not have an unlimited lifespan, so organizations need to monitor for end-of-life and decommission devices when needed. Finally, employees should be made aware of the risks associated with IoT devices and be trained in secure practices: including taking care to buy devices from manufacturers with a trusted reputation, and changing the default password.

Altogether, these actions can mount a stiff defense against botnets like Mirai – and should be taken seriously by every organization, particularly given the ubiquity of IoT devices.