Another Mirai variant used in attempted hacks on routers, switches

Four years later, Mirai continues to haunt the internet.
(Getty Images)

Four years after being used in one of the most powerful distributed denial-of-service attacks on record, the so-called Mirai malware continues to haunt the internet.

Researchers on Monday evening revealed that attackers used a new variant of the malicious software in a string of ongoing hacking attempts against devices like routers and switches. The attackers are using no less than eight flaws in popular networking gear to try to remotely commandeer the devices, according to Palo Alto Networks’ Unit 42, the research outfit that made the discovery.

After breaking into a device, the attackers try to download malicious code to deploy Mirai variants, Unit 42 said. The concern is that the devices could be conscripted into a botnet, a horde of infected computers used for spamming or distributed denial-of-service (DDoS) attacks, which stifle connectivity by flooding a network with phony traffic. Unit 42 did not identify the suspected attackers. But Zhibin Zhang, principal researcher at Unit 42, told CyberScoop that several thousands of devices could be affected.

It’s a reminder of the frailty of internet of things devices native to homes and business around the world, and of the enduring power of Mirai (the name of both the malware and botnets that use it.)


In October 2016, the Mirai botnet was used in a DDoS attack that shook the internet, cutting off access to the websites of Twitter, PayPal, and other big techbology companies. Variants of the Mirai malware have continued to emerge in the years since, including one reportedly used to attack banks and government agencies in the Netherlands in 2018. A year ago, Unit 42 researchers reported on yet another Mirai variant they said could give the botnet “greater firepower” in conducting DDoS attacks.

U.S. law enforcement has pursued the alleged operators of Mirai. An unnamed defendant in December pleaded guilty to being involved in the 2016 DDoS attack, and three other suspects have pleaded guilty in connection with creating the botnet.

But the cat is already out of the bag: Someone publicly posted Mirai’s source code in 2016, opening up access to a number of attackers keen on building their own variants. 

Security researchers have long complained that the IoT market that values affordable and functional networking equipment over security.

“The IoT realm remains an easily accessible target for attackers,” the Unit 42 researchers wrote this week. “Many vulnerabilities are very easy to exploit and could, in some cases, have catastrophic consequences.”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts