Serviceteam IT Security News

Threat researchers have spotted a new kind of cyber-attack that uses a variant of Mirai malware to target a port used by IoT devices.

The attack, orchestrated by someone using the alias “Priority,” was detected by a team at Juniper Threat Labs. Priority appears to have been up to no good since September 10.

Researchers noted that this new malicious kid on the block is hitting port 60001 using the Demonbot variant of Mirai together with a second variant developed by Scarface.

Port 60001 is a common port used by IoT devices, most notably the Defeway cameras, which make up over 90% of all cameras using this port. These cameras are being installed within networks with no password protection.

“While the users feel they are simply giving themselves access to view their camera from anywhere, it is actually giving attackers the ability to install botnets, such as Mirai, on the device,” said Juniper’s Jesse Lands.

Priority has been observed attacking ports 5500, 5501, 5502, 5050, and 60001 with a simple command that leverages the MVPower DVR Shell Unauthenticated Command Execution, reported by Unit 42 as part of the Omni Botnet variant of Mirai.

Researchers believe the attacker is either an unsophisticated amateur or someone who wishes to hide their true identity by appearing to be more criminally inexperienced than they actually are.

“What is interesting about this attacker is Juniper Threat Labs has not witnessed them using any additional exploits, perhaps showing again the attacker’s immaturity in the attack methodology,” noted researchers.

“In contrast, we see the majority of attackers using Mirai variants running three to seven different vulnerabilities against multiple protocols or devices.”

Priority has bucked this trend by limiting their attack to a single exploit and making it clear that their sights are locked on port 60001.

“The other ports appear more like a diversion, leading us to believe that the attacker has a specific objective in mind,” noted researchers.

All the attacks were found to have originated from an IP address owned by Virtual Private Server (VPS) provider Digital Ocean and linked to their Santa Clara data center.

Source: Infosecurity Magazine

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!