WootCloud, an IoT security research firm disclosed its discovery of a botnet based on Mirai dubbed OMNI that infects business video conferencing systems from Polycom, with additional three known botnets targeting same systems, and also Linux-based embedded devices.
While the discovery was announced in August, 2018, almost all models of Polycom HDX series of enterprise audio/video conferencing devices were vulnerable, which vulnerability could allow an attacker to launch a brute-force attack, DDoS attack and also turn the compromised conferencing devices to a proxy for Command and Control (C&C) routing communications.
OMNI represents one of the most severe IoT security concerns in the enterprise conferencing systems, which is harnessing the power of open-source software packages like BusyBox and WGet that comes with the Polycom devices through bypassing the various authentication mechanisms.
According to the researchers, the attacks evades traditional security controls and procedures, while companies have developed blind spots for monitoring such devices, so can't see the attacks to thwart them, which reemphasized the fact that smart connected devices inside enterprises remain the new attack vectors in the IoT era.
And Mirai infected hundreds of thousands of IoT devices which were used to launch some of the largest distributed denial-of-service (DDoS) attacks in history. It primarily spread in a worm-like manner through Telnet connections by taking advantage of the fact that most users don't change their default administrative details on smart devices.
Albeit, the original Mirai botnet is now inactive, but the source code has been replicated as base for at least 13 new other botnets, bringing more sophistication and improved infection methodology.
WootCloud has since reported the botnets to Polycom, and the company had on February 20, 2019 issued security advisory warning customers that Polycom HDX endpoints running software versions older than 3.1.13 contain security vulnerabilities that have been previously listed on the Polycom Security Center which can render HDX endpoints vulnerable to takeover by a botnet.
Polycom also issued a security advisory back in January to warn customers about the persistent cyber threats that target unified communications devices deployed in a less secure manner for which the default credential haven't been changed.