A massive new network of objects connected to Mirai’s payroll is activating. That’s what Netlab announces.
This Chinese security company, which specializes in anti-DDoS services, has seen a rise in scan traffic of 2323 and 23 ports since November 22, from nearly 100,000 IP addresses.
“After investigation, we are almost certain that this is a variant of Mirai,” say the researchers on their blog.
Attacks go through attempts to connect to object control interfaces. Two identifiers are actively used today: admin / CentryL1nk and admin / QwestM0dem. The first is known to try to penetrate Zyxel PK5001Z modems.
The attack code was publicly revealed on October 31 by Li Fengpei, a Netlab researcher.
It exploits the CVE-2016-10401 vulnerability which makes it possible to connect in administrator mode to the modem via the Telnet protocol with the identifiers mentioned above.
If the malware code is late October, traffic operator began to intensify on November 22 with a peak the next day before subsiding, a behavior that can be explained by the lack of persistence of Mirai.
In other words, the control of the modem is broken if it is rebooted (before possibly being re-infected).
According to NetLab, the majority of attacks (65,700 IP addresses) come from Argentina, and particularly from the operator Telefónica. This suggests that many of the Zyxel modems, probably distributed to residential customers, are concerned.
Without visible consequence for the time. But infected modems could be used to launch DDoS attacks, among others. If that’s the case, we’ll know it soon.