Satori IoT Botnet Exploits Zero-Day to Zombify Huawei Routers identified by researchers.
The flaw is in Huawei’s router model HG532. It said it is tracking hundreds of thousands of attempts to exploit the vulnerability in the wild.
The Mirai botnet made headlines in October 2016, targeting DNS provider Dyn and the Krebs on Security website with massive DDoS attacks. The original Mirai malware exploited flaws found in the CCTV and DVR hardware that allowed a default Linux telnet credential to be used.
Since the Mirai source code became publicly available, many hackers have modified the code and expanded the number of Internet of Things devices compromised. Most have taken advantage of shoddy protections around connected devices and embedded systems.
In the case of Okiku/Satori IoT Botnet, Check Point researchers suspected an inexperienced hacker that goes by “Nexus Zeta” is behind the attacks.
“The identity of the attacker was initially a mystery, with speculations running from advanced nation-state perpetrators to notorious threat gangs,” researchers said.
Researchers then cross-referenced the email addressed used for the domain registration with an email address used on the popular hacker forum called HackForums.
“Although he is rarely active in such forums, the few posts he does make disclose an amateur actor, though interesting his most recent focus was on an initiative to establish a Mirai-like IoT botnet,” researchers said.
The Okiku/Satori IoT Botnet attacks differ from previous Mirai variants in that they don’t rely on brute-force telnet-based attacks. Instead, the new variant runs attacks over port 37215 exploiting the previously unknown CVE-2017-17215 vulnerability in Huawei HG532 devices.
The attack involves a command injection, where the malicious payload is downloaded and executed on the Huawei router, researchers said.
The flaw is tied to the router’s use of the Universal Plug and Play (UPnP) protocol and the TR-064 technical report standard. TR-064 is a standard designed to make it easy to add embedded UPnP devices to a local network.
“In this case though, the TR-064 implementation in the Huawei devices was exposed to WAN through port 37215 (UPnP),” researchers wrote. The UPnP framework supports a “DeviceUpgrade” that can carry out a firmware upgrade action.
The vulnerability allows remote administrators to execute arbitrary commands by injecting shell meta-characters into the DeviceUpgrade process.
“After these have been executed, the exploit returns the default HUAWEIUPNP message, and the ‘upgrade’ is initiated,” researchers wrote.
The payload’s main purpose is to instruct the bot to flood targets with manually crafted UDP or TCP packets.
“The number of packets used for the flooding action and their corresponding parameters are transmitted from the C&C server. Also, the C&C server can pass an individual IP for attack or a subnet using a subnet address and a number of valuable bits,” researchers said.
According to Huawei, mitigation against attack includes configuring the router’s built-in firewall, changing the default password or using a firewall on the carrier side.
Check Point said it’s still unclear how the vulnerability it discovered found its way to Nexus Zeta’s possession.
“As seen in this case as well as others over the past year, it is clear that a combination of leaked malware code together with exploitable and poor IoT security, when used by unskilled hackers, can lead to disastrous results,” Check Point said.
Most Popular Training Courses at Indian Cyber Security Solutions
Summer Training for CSE, IT, BCA & MCA Students
Network Penetration Tester Training
Diploma in Web Application Security
Certified Web Application Penetration Tester
