Wicked, a variation of Mirai, malware that took large swaths of the internet offline in 2016, has been found by security researchers at Fortinet and poses a new threat to IoT devices.
According to a blog post published today, Fortinet’s researchers say that Wicked has at least three exploits in its toolkit. The malware targets unpatched IoT devices and can make them vulnerable to other Mirai variants including the Sora, Owari, and Omni botnets. Indeed, Fortinet thinks that Wicked, Sora, Owari, and Omni all have the same author.
Back in 2016 when Mirai first came on the scene, it was able to blackout huge swaths of the internet by using already connected and unprotected ‘smart’ devices, turning them into a giant botnet. From there, the botnet unleashed three separate distributed denial-of-service (DDoS) attacks. By piling on DDoS attacks in waves it made it hard for DNS providers to isolate the attack, recover, and get sites back online. Mirai’s code is open source, which has meant that cyber adversaries have been using it as a basis to create their own versions like Wicked, Sora, Owari, Omni, and others.
IoT devices have famously inconsistent security standards. Many come with limited out of the box protection and for governments, which typically deploy large networks of devices it can be difficult to ensure all points are protected. As CivSource recently reported, only 33 percent of enterprise IoT users in a Gemalto survey believe they have complete control over the data that their IoT products and services collect as it moves from partner to partner. More than 90 percent of IoT users in the same survey say there should be some form of IoT security regulation to ensure uniform standards and establish rules around data control at each step of the journey through the network. The rapid growth of malware targeting unpatched IoT devices only makes the case for uniform standards stronger.
Public comments on the February NISTIR 8200 draft show that even the private sector recognizes the need for IoT security standardization, however, little is being done or even considered. More states are looking at general cybersecurity regulations, but few have targeted IoT devices specifically. At the federal level, recent moves to limit the number of cybersecurity focused posts make it difficult to see a road ahead for a more comprehensive cybersecurity strategy.
Watch this space.