DHS is warning users that the Mirai malware is infecting wireless gateways sold by Sierra Wireless and using the compromised devices as part of a botnet for DDoS attacks.
The Mirai malware has been targeting a variety of embedded devices, especially CCTV cameras, that have default telnet credentials enabled and compromising them. The attackers deploying the malware are using the resultant botnet for a series of large-scale DDoS attacks that have reached the 1 Tbps threshold. While most of the devices Mirai is compromising have telnet running on an open port and have default credentials enabled, the Department of Homeland Security said last week that many Sierra Wireless gateways also have been compromised by Mirai.
“Based on currently available information, once the malware is running on the gateway, it deletes itself and resides only in memory. The malware will then proceed to scan for vulnerable devices and report its findings back to a command and control server. The command and control server may also instruct the malware to participate in a DDoS attack on specified targets,” the DHS alert says.
“Currently, the best known indicator of the malware’s presence is abnormal traffic on Port 23/TCP as it scans for vulnerable devices. Users may also observe command and control traffic on Port 48101/TCP, and a large amount of outbound traffic if the infected gateway is participating in a DDoS attack.”
Sierra Wireless makes a wide range of products, including routers, gateways, and other networking gear. The devices that Mirai is infecting include:
- LS300
- GX400
- GX/ES440
- GX/ES450
- RV50
Mirai isn’t exploiting any vulnerabilities in the Sierra gear, but is simply taking advantage of known default credentials that many users never bother to change. DHS said in its alert that unless users change the credentials, Mirai likely will reinfect any device that’s cleaned after an initial infection.
“Because the malware resides only in memory, rebooting the gateway will remove the infection. However, if the gateway continues to use the default ACEmanager password, it will likely become reinfected,” the alert says.
“Devices attached to the gateway’s local area network may also be vulnerable to infection by the Mirai malware. Sierra Wireless gateways have a number of features that make these devices remotely accessible.”
Mirai isn’t a brand new threat, but it has been in the spotlight lately as a result of the enormous DDoS attacks that it has been involved in. The botnet was used to attack journalist Brian Krebs’s site as well as hosting provider OVH in recent weeks. Oddly, it mainly comprises IoT devices such as the Sierra gateways, CCTV cameras, and other embedded devices rather than PCs or servers.
