Threat Advisory: Satori Mirai Variant Alert
Published December 06, 2017
Akamai, along with industry peers, has identified an updated variant of Mirai (Satori) that has activated within the past 24 hours and is rapidly growing. In the past 24 hours, Akamai has observed more than 650,000 unique IP addresses, confirming with peers in the industry seeing comparable numbers. This activity expands beyond the brute-force type of attack seen with Mirai exploit activity previously, adding exploits that target multiple vulnerabilities:
- One new undisclosed vulnerability in HuaweiHomeGateway & CPE devices
- Existing CVE-2014-836
- Previous list of vulnerabilities on IoT and CPE devices.
Much of the scanning activity is sourced from Mirai nodes, in the most recent Wproot/Mroot and login variant, from the end of November. The admin/CentryL1nk login variant seems to be concentrated in devices located in Egypt, Ecuador, Tunisia, Argentina, and Colombia.