Botmasters have taken the lessons from developing Internet of Things (IoT) malware and shifted their focus to targeting commodity Linux servers. Like many IoT devices, unpatched Linux servers linger on the network, and are being abused at scale by attackers sending exploits to every vulnerable server they can find. ASERT, Arbor Networks' Security Engineering & Response Team, has been monitoring exploit attempts for the Hadoop YARN vulnerability in our honeypot network and found a familiar, but surprising payload – Mirai. These versions of Mirai behave much like the original but are tailored to run on Linux servers and not underpowered IoT devices. While ASERT has previously published observations of Windows Mirai, this is the first time we’ve seen non-IoT Mirai in the wild.
Key Findings about Mirai
- Mirai botmasters that target Linux servers no longer need to tailor their malware for strange architectures, they assume their targets are using x86.
- Rather than rely on the bots to propagate, the attackers have shifted their tactics to issuing exploits themselves. A relatively small number of attackers are using custom tools to exploit the Hadoop YARN vulnerability and deliver Linux malware.
- Even if the victim Hadoop YARN server is not running the telnet service, the Mirai bot will attempt to brute-force factory default credentials via telnet.
- Linux servers in datacenters have access to more bandwidth than IoT devices on residential networks, making them much more efficient DDoS bots. A handful of well-resourced Linux servers can generate attacks that compete with a much larger IoT botnet.
The Hadoop YARN vulnerability is relatively simple – a command injection flaw that allows the attacker to execute arbitrary shell commands. Last month, Radware discovered this vulnerability being used to install the DemonBot DDoS bot. In many ways this flaw is similar to others we’ve seen exploited in IoT devices. For instance, CVE-2014-8361, a flaw in Realtek’s UPnP SOAP interface, is also exploitable by sending an HTTP request to a special port with specific parameters to induce the execution of shell commands. The Realtek vulnerability was used to deliver a Mirai variant.
What’s surprising is that so many exploit attempts are being delivered by only a handful of unique sources. The figure below shows the number of unique source IP addresses delivering the Hadoop YARN exploit over the same time period.
If we look at the top 5 User-Agents delivering these exploits we can see the attackers using the Python requests library to deliver the HTTP payload:
The huge number of exploit attempts, coming from a small number of sources, coupled with the fact that none of the malware payloads we’ve seen try to propagate in a worm-able fashion using the Hadoop YARN exploit, and none of the payloads are written in Python, leads us to speculate that a small number of attackers are manually scanning the Internet to exploit this vulnerability.
The exploit payloads we’ve seen, as shown below, are all functionality identical – pull down a malware binary from a URL and execute it.
What does differ is which malware is delivered in the exploit. For the month of November, we’ve seen 225 unique binaries being delivered. 152 – well over half – of the binaries are being delivered by just one source address. At least a dozen of the samples we’ve examined are clearly variants of Mirai.
Let’s focus on a Mirai variant that calls itself “VPNFilter” (2bcca8ac8d4d80f6740ef14d521284c0), even though it has nothing to do with the more advanced IoT bot. Across our honeypot network, we saw this exploit being delivered by two source addresses on Nov 16 – 18.104.22.168 and 22.214.171.124. The command-and-control site for this bot is the same IP address that hosts the binary.
This particular variant differs from an IoT Mirai in an important way – it only delivers the x86 version of the bot. IoT Mirai variants will poke around a potential victim in order to deliver an executable that’s suitable for its CPU architecture – x86, x64, ARM, MIPS, ARC, etc. This version assumes the Hadoop YARN service is running on a commodity x86 Linux server.
When running the “VPNFilter” variant in a sandbox, we immediately noticed it still tries to brute-force factory default usernames and passwords via telnet. If it successfully finds a vulnerable device, instead of directly installing the malware on the victim, it reports the IP address, username, and password to a reporting server, where the attacker can automate the installation of the bot.
Conclusion: Fully powered Linux servers among small, diminutive devices
Mirai is no longer solely targeting IoT devices. While the techniques used to deliver Mirai to both IoT and Linux servers may be similar, it’s much easier for attackers to attack the x86 monoculture of Linux servers than the wide array of CPUs used in IoT devices. The limited number of sources we’ve seen continually scanning for the Hadoop YARN vulnerability may indicate this activity is the work of a small group of attackers. Their goal is clear – to install the malware on as many devices as possible. Once gaining a foothold, Mirai on a Linux server behaves much like an IoT bot and begins brute-forcing telnet usernames and passwords. What’s different now is that among the small, diminutive devices in the botnet lurk fully powered Linux servers.
Matthew Bing - November 22 2018
Research Analyst at Arbor Networks/Netscout
Talk directly to one of our Arbor Networks and DDoS experts.