Kaspersky Global Research & Analysis Team (GReAT) researchers have found multiple IoT devices targeted with a new version of the Mirai botnet. Mirai remains one of the top threats to IoT in 2025 due to widespread exploitation of weak login credentials and unpatched vulnerabilities, enabling large-scale botnets for DDoS attacks, data theft and other malicious activities.
According to Kaspersky research, there were 1,7 billion attacks on IoT devices (including those made with Mirai) coming from 858 520 devices globally in 2024. 853 393 attacks on IoT devices (including those made with Mirai) were launched from South Africa in 2024, which is almost 3,5 times more than in 2023.
To explore IoT attacks, how such attacks are carried out and how to prevent them, Kaspersky set up so-called honeypots – decoy devices used to attract the attention of the attackers and analyse their activities. In the honeypots, Kaspersky detected the exploitation of the CVE-2024-3721 vulnerability to deploy a bot. It turned out to be a Mirai botnet modification. A botnet is a network of compromised devices infected by malware to perform coordinated malicious activities under the control of an attacker.
This time, the focus of the attacks was digital video recorders (DVRs), which are integral to security and surveillance across multiple sectors. They record footage from cameras to monitor homes, retail stores, offices, warehouses, factories, airports, train stations, and educational institutions, to enhance public safety and secure critical infrastructure. Attacks on DVR devices can compromise privacy, but beyond that, they can serve as entry points for attackers to infiltrate broader networks, spreading malware and creating botnets to launch DDoS attacks, as seen with Mirai.
The discovered DVR bot includes mechanisms to detect and evade virtual machine (VM) environments or emulators commonly used by security researchers to analyse malware. These techniques help the bot avoid detection and analysis, allowing it to operate more stealthily and remain active on infected devices.
“The source code of the Mirai botnet was shared on the Internet nearly a decade ago, and since then, it has been adapted and modified by various cybercriminal groups to create large-scale botnets mostly focused on DDoS and resource hijacking. Exploiting known security flaws in unpatched IoT devices and servers, combined with the widespread use of malware targeting Linux-based systems, results in a significant number of bots constantly searching the Internet for devices to infect. By analysing public sources, we identified over 50 000 exposed DVR devices online, indicating that attackers have numerous opportunities to target unpatched, vulnerable devices,” comments Anderson Leite, security researcher with Kaspersky’s GReAT.
To reduce the risk of IoT device infection, users should:
• Change default credentials and use strong, unique passwords.
• Regularly update DVR firmware to patch known vulnerabilities.
• Disable remote access if unnecessary or use secure VPNs for management.
• Segment DVRs on isolated networks.
• Monitor for unusual network traffic to detect potential compromises.
For more information contact Kaspersky SA,
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version