Mirai-based botnet updates its ‘arsenal of exploits’ on routers and IoT devices


A Mirai-based malware botnet has expanded its payload arsenal to aggressively target routers and other Internet-connected devices, researchers have discovered.

The variant, called IZ1H9, has been observed by Fortinet researchers exploiting vulnerabilities in products from nine different brands, including D-Link, Netis, Sunhillo, Geutebruck, Yealink, Zyxel, TP-Link, Korenix and TOTOLINK. The “peak exploitation” of vulnerabilities occurred on September 6, researchers estimate.

“This highlights the campaign’s ability to infect vulnerable devices and significantly expand its botnet through rapid use of recently released exploit code, which encompasses numerous CVEs,” they wrote.

The IZ1H9 variant was discovered in August 2018, two years after the original Mirai botnet was first seen infecting Linux-based devices. Mirai has been used in some of the most disruptive distributed denial of service (DDoS) attacks on record, including a 2016 incident which brought down websites such as Twitter, Reddit and Netflix.

Callie Guenther, senior manager of cyberthreat research at cybersecurity firm Critical Start, said the reach of targeted devices sets off alarms.

“Since IZ1H9 targets a multitude of devices and vulnerabilities, it has the potential to build a large botnet,” she said. “This means its DDoS attacks could be particularly powerful, capable of destroying large websites or critical online services.”

DDoS attacks work by overwhelming targeted websites with unwanted traffic, often from infected devices that together form a botnet.

As recent geopolitical events have shown, while DDoS attacks rarely inflict lasting damage, they can still make difficult scenarios even worse for victims. After Hamas’ surprise attack on Israel on Saturday, for example, hacktivists spear cyberattacks against entities linked to both sides of the war.

“At a time of great geopolitical unrest, an increase in DDoS attacks is likely,” said John Bambenek, principal threat hunter at IT management company Netenrich. “With these changes, more vulnerable devices are emerging and it is purely a math game. More nodes in the botnet means more attacks and more outages.

On Tuesday, Amazon, Google and Cloudflare said they detected the largest DDoS attacks ever recorded due to a recently discovered vulnerability, which they called an HTTP/2 fast reset attack.

Additional reporting by Jonathan Greig.

Get more information with the

Future saved

Intelligence cloud.

Learn more.

No previous articles

No new articles

James Reddick

James Reddick has worked as a journalist around the world, including in Lebanon and Cambodia, where he was deputy editor of the Phnom Penh Post. He is also a radio and podcast producer for outlets like Snap Judgment.

Leave a comment