Satori IoT Botnet Exploits Zero-Day to Zombify Huawei Routers

  • 0
Satori IOT Botnet

Satori IoT Botnet Exploits Zero-Day to Zombify Huawei Routers

Category : Blog

Satori IoT Botnet Exploits Zero-Day to Zombify Huawei Routers identified by researchers.

Satori IOT Botnet

The flaw is in Huawei’s router model HG532. It said it is tracking hundreds of thousands of attempts to exploit the vulnerability in the wild.

The Mirai botnet made headlines in October 2016, targeting DNS provider Dyn and the Krebs on Security website with massive DDoS attacks. The original Mirai malware exploited flaws found in the CCTV and DVR hardware that allowed a default Linux telnet credential to be used.

Since the Mirai source code became publicly available, many hackers have modified the code and expanded the number of Internet of Things devices compromised. Most have taken advantage of shoddy protections around connected devices and embedded systems.

In the case of Okiku/Satori IoT Botnet, Check Point researchers suspected an inexperienced hacker that goes by “Nexus Zeta” is behind the attacks.

“The identity of the attacker was initially a mystery, with speculations running from advanced nation-state perpetrators to notorious threat gangs,” researchers said.

Researchers then cross-referenced the email addressed used for the domain registration with an email address used on the popular hacker forum called HackForums.

“Although he is rarely active in such forums, the few posts he does make disclose an amateur actor, though interesting his most recent focus was on an initiative to establish a Mirai-like IoT botnet,” researchers said.

The Okiku/Satori IoT Botnet attacks differ from previous Mirai variants in that they don’t rely on brute-force telnet-based attacks. Instead, the new variant runs attacks over port 37215 exploiting the previously unknown CVE-2017-17215 vulnerability in Huawei HG532 devices.

The attack involves a command injection, where the malicious payload is downloaded and executed on the Huawei router, researchers said.

The flaw is tied to the router’s use of the Universal Plug and Play (UPnP) protocol and the TR-064 technical report standard. TR-064 is a standard designed to make it easy to add embedded UPnP devices to a local network.

“In this case though, the TR-064 implementation in the Huawei devices was exposed to WAN through port 37215 (UPnP),” researchers wrote. The UPnP framework supports a “DeviceUpgrade” that can carry out a firmware upgrade action.

The vulnerability allows remote administrators to execute arbitrary commands by injecting shell meta-characters into the DeviceUpgrade process.

“After these have been executed, the exploit returns the default HUAWEIUPNP message, and the ‘upgrade’ is initiated,” researchers wrote.

The payload’s main purpose is to instruct the bot to flood targets with manually crafted UDP or TCP packets.

“The number of packets used for the flooding action and their corresponding parameters are transmitted from the C&C server. Also, the C&C server can pass an individual IP for attack or a subnet using a subnet address and a number of valuable bits,” researchers said.

According to Huawei, mitigation against attack includes configuring the router’s built-in firewall, changing the default password or using a firewall on the carrier side.

Check Point said it’s still unclear how the vulnerability it discovered found its way to Nexus Zeta’s possession.

“As seen in this case as well as others over the past year, it is clear that a combination of leaked malware code together with exploitable and poor IoT security, when used by unskilled hackers, can lead to disastrous results,” Check Point said.

Most Popular Training Courses at Indian Cyber Security Solutions

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Leave a Reply

Show Buttons
Hide Buttons