Unpacking the Complex Web: How Mirai Variant IZ1H9 Exploits a New Wave of Vulnerabilities in IoT Devices
One of the most notorious names in cybersecurity is Mirai, a malware strain responsible for converting networked devices running Linux into remotely controlled “bots,” that can be used as part of a botnet in large-scale network attacks. Recently, a variant of this malware, known as IZ1H9, has substantially upgraded its toolkit, adding 13 new exploits aimed at a variety of IoT devices such as routers and IP cameras. First identified in August 2018, IZ1H9 has become one of the most active variants in the Mirai family, relentlessly targeting unpatched vulnerabilities in IoT devices to co-opt them for distributed denial-of-service (DDoS) attacks.
Read More: A Comprehensive Guide to Mirai Malware
Manufacturers Targeted
The devices being targeted originate from an array of manufacturers, including D-Link, TP-Link, Zyxel, and others, according to a report by Fortinet. This expansion adds to an already impressive list of more than 30 targeted vulnerabilities involving manufacturers such as Geutebruck, Korenix, Netis, Sunhillo, Totolink, and Yealink.
Read More: Fortinet's Recent Security Report
The Latest Arsenal
The new exploits target a variety of issues, from critical-severity flaws like CVE-2015-1187, CVE-2016-20017, CVE-2020-25506, and CVE-2021-45382 in D-Link devices, to command injection bugs affecting firmware supplied by UDP Technology to Geutebruck and other OEMs for their IP cameras. Even more alarmingly, some of the new exploits target vulnerabilities that have not been previously reported as exploited in the wild, such as CVE-2021-36380 and CVE-2023-23295.
The D-Link Exploits
Four of the newly added exploits focus on D-Link vulnerabilities, allowing attackers to execute arbitrary code on the targeted devices. These are high-severity flaws, and the addition of these exploits makes IZ1H9 a more formidable threat than ever.
Read More: D-Link's Security Advisory
Exploits in Other Devices
In addition to D-Link, the IZ1H9 variant has incorporated exploits for a range of other devices. Eight exploits, for example, affect arbitrary command execution bugs in the firmware supplied by UDP Technology to Geutebruck and other OEMs for their IP cameras.
Another worrying inclusion is the exploit for CVE-2023-23295, a command injection vulnerability in Korenix JetWave routers. Similarly, the malware variant has added an exploit for CVE-2019-19356, a remote code execution (RCE) bug affecting Netis WF2419 wireless routers. This particular vulnerability has been exploited before by other Mirai variants.
Read More: Understanding CVE-2023-23295
Uncharted Territory
Itβs worth noting that some of the newly added vulnerabilities have not been previously exploited in the wild. This suggests that the threat actors behind IZ1H9 are either extraordinarily resourceful or are benefitting from inside information about these vulnerabilities.
The IoT Threat Landscape
IoT devices have long been an appealing target for cybercriminals, with remote code execution attacks posing significant threats. Given the widespread deployment of IoT devices, from security cameras to smart home gadgets, this makes them a critical point of focus for both cybersecurity professionals and cybercriminals. Despite available patches for these vulnerabilities, Fortinet's data suggests that the number of exploit triggers remains unsettlingly high.
Read More: Fortinet's Analysis on IoT Threat Landscape
The Future of IoT Security
As the Mirai Variant IZ1H9 expands its list of exploits, it becomes increasingly evident that simply patching old vulnerabilities may not be enough. Cybersecurity strategy needs to evolve to counter new, more potent threats actively. This could involve advanced threat detection systems, widespread user education, and potentially even regulatory action to secure this booming landscape of interconnected devices.
Read More: How to Secure IoT Devices: A Practical Guide
Conclusion
The Mirai Variant IZ1H9's addition of 13 new exploits highlights the need for continuous vigilance in the cybersecurity space, particularly concerning IoT devices. Manufacturers, users, and cybersecurity professionals must work in concert to secure devices, patch known vulnerabilities, and prepare for new types of attacks that criminals are developing.
With its recent upgrade, IZ1H9 has solidified its reputation as one of the most versatile and dangerous variants in the Mirai family. The wide range of exploits now included in its arsenal makes it a Swiss Army knife of IoT exploitation, capable of attacking various devices across multiple platforms.
By staying informed and proactive, there's hope to mitigate the risks posed by such malware variants. Yet, as the Mirai Variant IZ1H9 and its growing list of exploits demonstrate, the battleground is far from static, and the war against cyber threats is an ongoing one.
FAQs
What is the Mirai Variant IZ1H9?
The Mirai Variant IZ1H9 is an updated version of the original Mirai botnet. This variant has added 13 new exploits to its arsenal, targeting various Internet of Things (IoT) devices, including routers and IP cameras.
Which devices are most vulnerable to this Mirai variant?
The devices that are most vulnerable are those from D-Link, TP-Link, Zyxel, and several other manufacturers. The variant exploits unpatched vulnerabilities in these devices to include them in distributed denial-of-service (DDoS) attacks.
What are the specific CVE codes for these vulnerabilities?
Some of the specific Common Vulnerabilities and Exposures (CVE) codes targeted by this variant include CVE-2015-1187, CVE-2016-20017, CVE-2020-25506, and CVE-2021-45382 among others.
How does IZ1H9 carry out its attacks?
IZ1H9 exploits these vulnerabilities to execute arbitrary code on affected IoT devices, taking control of them and using them in DDoS attacks.
Are there any in-the-wild exploitations of these new vulnerabilities?
Some of the vulnerabilities, such as CVE-2021-36380 and CVE-2023-23295, do not have any previous reports of being exploited in the wild. However, the level of exploitation attempts peaked on September 6, according to Fortinet.
What is Fortinet's role in this?
Fortinet is a cybersecurity firm that has been monitoring this Mirai variant and reporting on its activities. They have provided critical insights into how the variant works and which vulnerabilities it is exploiting.
How do these exploits affect the security of IoT devices?
These exploits pose a severe security risk to IoT devices and, by extension, to the networks they are connected to. The devices can be commandeered to participate in DDoS attacks, potentially leading to broader network compromise.
What should I do to protect my devices from these exploits?
To protect your IoT devices, you should update them with the latest security patches and regularly monitor security advisories from both the device manufacturers and cybersecurity agencies.
Are Linux servers also at risk?
Yes, according to Fortinet, remote code execution attacks pose concerning threats to both IoT devices and Linux servers.
How can I stay updated on the latest exploits and variants?
Keep an eye on cybersecurity reports and updates from trusted organizations like Fortinet, as well as government advisories regarding cybersecurity threats.
Kevin Bong was formerly the Director of Corporate Security for Johnson Financial Group, and currently works as an Information Assurance Consultant for SynerComm, Inc.Β Kevin has a BS in Physics and Computer Science from Carroll University, an MS in Information Security Engineering from the SANS Institute, and has earned multiple certifications including PMP and GIAC GSE.Β Kevin is also an amateur astronomer, beekeeper, an author and instructor, and a pretty neat dad. Prior to Impulsec, Kevin workedΒ a Penetration Testing “Drop Box” project similar to the Pwnie Express called the MiniPwner.
Leave a Reply