Cybersecurity experts at Unit 42 have discovered a new variant of the Mirai botnet that targets Linux powered IoT devices. The botnet took a huge chunk of Internet down in 2016, including web hosting provider OVH and DNS provider Dyn.

The new variant targets embedded devices like routers, network storage devices, NVRs, and IP cameras. Unit 42 found this new variant targeting enterprise WePresent WiPG-1000 Wireless Presentation systems and have discovered it in LG Supersign TVs.

“This development indicates to us a potential shift to using Mirai to target enterprises. The previous instance where we observed the botnet targeting enterprise vulnerabilities was with the incorporation of exploits against Apache Struts and SonicWall,” wrote Ruchna Nigam of Unit 62 in a blogpost, “In addition to this newer targeting, this new variant of Mirai includes new exploits in its multi-exploit battery, as well as new credentials to use in brute force against devices.”

This Mirai variant has added 11 new exploits, taking the total exploits to 27.

Enterprise customers need to focus on the security of their network and IoT devices running within their network. They should embrace some best practices, including changing the default password; be aware of what IoT devices are living within their network and also ensure they are fully patched.