In October of last year, the “Mirai” botnet—an army of enslaved devices that hackers used to attack key parts of the Internet—rendered top websites, like Amazon, Netflix, Twitter, and many others inaccessible for millions of people. Now security researchers are warning that they’ve spotted a successor that could prove to be much worse.
Whereas Mirai hijacked gadgets that used either no passwords or known factory-set defaults, the latest botnet, dubbed “Reaper” (or “IoTroop”) by its discoverers, has taken to commandeering recruits by exploiting vulnerabilities in devices’ software. The method has the potential to grow a far bigger base of zombie machines.
As Israeli cybersecurity giant Check Point noted in a post that sounded the alarm last week, the botnet is expanding “at a far greater pace and with more potential damage than the Mirai botnet of 2016.” The company said it estimates that more than 1 million organizations are already affected worldwide.
Though Check Point was first to call attention to the threat, the honor of first discovery goes to Qihoo 360, a Chinese cybersecurity firm. Its researchers wrote in an Oct. 20th blog post that it has been tracking the botnet since Sept. 13. (Check Point discovered it in the finals days of Sept.)
Get Data Sheet, Fortune’s technology newsletter
One of multiple botnet-controlling computer servers used by the hacker is already communicating with more than 10,000 potentially compromised devices per day, Qihoo’s researchers said. Millions more devices are queued up for recruitment, they said.
Instead of cracking passwords, Reaper is taking advantage of vulnerabilities in Internet-connected devices. Qihoo listed 9 vulnerabilities in products that the attacker (or attackers) appears to be actively exploiting, including webcams made by companies like AVTech, GoAhead, and Vacron, and routers made by D-Link, Cisco’s (CSCO) Linksys, and Netgear. (You can see the full list and more details about the security holes on the Qihoo’s and Check Point’s sites)
Neither Check Point nor Qihoo is certain what the attacker’s intentions may be, but if history provides any insight, it’s not unreasonable to expect that the botnet could unleash overwhelming barrages of distributed denial of service attacks against targets of its botmaster’s choosing. With some tweaks to the code, a hacker could transform the now-quiet army into the digital equivalent of Howitzer artillery.
“Currently, this botnet is still in its early stages of expansion,” a Qihoo researcher wrote. “But the author is actively modifying the code, which deserves our vigilance.”
One of the best ways to avoid having one’s devices succumb to a botnet of this nature is to apply security patches as soon as they become available. Unfortunately, many device manufacturers have not built in easy ways to update devices, or to be notified when updates become available.
