On Thursday, cybersecurity experts disclosed details regarding a newly discovered Mirai-inspired botnet called “mirai_ptea”. It exploits an undisclosed flaw in a digital video recorder (DVR) provided by KGUARD to propagate and execute a distributed denial of service (DDoS) attack.
Netlab 360, a Chinese security company pinned the first investigation into defects on March 23, 2021, before aggressive botnet attempts were detected on June 22, 2021. Since the emergence of the Mirai botnet in 2016, it has been linked to a series of large-scale DDoS attacks.
In October 2016, users of DNS service provider Dyn in Europe and North America lost access to major Internet platforms and services.
Since then, numerous versions of Mirai have sprung up in the field, partly because the source code is available on the internet. Mirai_ptea is no exception.
According to researchers, the Mirai botnet is a piece of nasty Internet of Things (IoT) malware that compromised 300,000 IoT devices, such as wireless cameras, routers, and digital video recorders. It scans Internet of Things devices and uses default passwords and then adds the passwords into a botnet network, which is then used to launch DDoS attacks on websites and Internet infrastructure.
Cybersecurity researchers have not revealed the whole details regarding the security flaw in an attempt to prevent further exploitation, but the researchers said the KGUARD DVR firmware had vulnerable code prior to 2017 that enabled remote execution of system commands without authentication. At least approximately 3,000 devices published online are vulnerable to this flaw.
In addition to using Tor Proxy to link with the Command and Control (C2) server, analysis of the mirai_ptea sample disclosed extensive encryption of all sensitive resource information. It is decoded to establish a connection with the C2 server and retrieve attack commands for execution, including launching DDoS attacks.
“The geographic distribution of bot source IPs is […] mainly concentrated in the United States, Korea, and Brazil,” the researchers stated, with infections reported across Europe, Asia, Australia, North and South America, and parts of Africa.
In 2017, Paras Jha, 21, of Fanwood, New Jersey; Josiah White, 20, of Washington, Pennsylvania; and Dalton Norman, 21, of Metairie, Louisiana were charged for creating the Mirai IoT botnet. The three admitted conspiracy to violate the Computer Fraud & Abuse Act.