A Mirai variant has been discovered targeting unpatched Linux servers, shifting the use of the malicious payload beyond the internet of things (IoT), according to new research from NETSCOUT ASERT.
Using their honeypot network to monitor the tens of thousands of daily exploit attempts for the Hadoop YARN vulnerability, Arbor’s Security Engineering and Response Team (ASERT) researchers surprisingly found the all-too-familiar Mirai payload.
“Mirai botmasters have found they can target Linux servers just as easily as IoT devices. They attack the servers themselves rather than rely on the bots to propagate, since servers tend not to move around the network or get powered down,” said Matt Bing, security research analyst at NETSCOUT.
“Servers make an attractive target for DDoS bots for their network speed and hardware resources, compared to relatively underpowered IoT devices. What we’ve seen is Linux servers being conscripted to the same botnets as IoT devices. In the future we can expect more DDoS botnets with both infected IoT devices and Linux servers, like an army of foot soldiers being supported by tanks.”
Tailored to run on Linux servers, the new variant of Mirai exhibited similar behaviors to those of the original version. This discovery marks the first time ASERT has seen Mirai used to exploit non-IoT systems in the wild.
“Rather than rely on the bots to propagate, the attackers have shifted their tactics to issuing exploits themselves. A relatively small number of attackers are using custom tools to exploit the Hadoop YARN vulnerability and deliver Linux malware,” Bing wrote.
The vulnerability leverages a command injection flaw, enabling the execution of arbitrary shell commands, a vulnerability used last month to install the DemonBot DDoS bot, according to the researchers.
Given that Linux servers have access to greater bandwidth than IoT devices running on the networks, the Mirai bots reportedly act as more efficient DDoS bots, capable of executing attacks that compete with a much larger IoT botnet.