Satori IoT Botnet Exploits Zero-Day to Zombify Huawei Brand Routers

Infection is a thing which only needs a beginning that travels faster than an Indian arrow.A cure for such a disease is not far but yet with the cure the disease still remains.We cure it one way it comes in another form, like a mutation.

Although the initial creators of the infamous IoT malware Mirai have been completely arrested and sent to jail, the variants of the notorious botnet remain in the game due to the option of its source code on the web.

Hackers have trusted the infamous IoT malware to quietly amass an army of unsecured internet-of-things devices, including home and office routers that could be used at any right time by hackers to release Internet-paralyzing DDoS episodes.

Another variant of Mirai again has strike once, propagating rapidly by exploiting a zero-day vulnerability in a Huawei home router model.

Dubbed Satori (also called Okiku), the Mirai variant has been concentrating on Huawei’s router model HG532, as Check Point security researchers said they tracked thousands of attempts to exploit a vulnerability in the router model in the wild.

November recognized initially by Check Point researchers late, Satori was found infecting more than 200,000 IP addresses in 12 hours earlier this month just, relating to an analysis published by Chinese security 360 Netlab on Dec 5.

Researchers suspected an unskilled hacker that goes on the name “Nexus Zeta” is exploiting a zero-day remote code execution vulnerability (CVE-2017-17215) in Huawei HG532 devices, according to a fresh record published Thursday night by Check Point.

The vulnerability is because of the fact that the implementation of the TR-064 (technical report standard), an application layer protocol for remote management, in the Huawei devices was exposed on the general public Internet through Universal Plug and Play (UPnP) protocol at port 37215.
“TR-064 was designed and intended for local network configuration,” the report reads. “For example, it allows an engineer to implement basic device configuration, firmware upgrades and more from within the internal network.”

Since this vulnerability allowed remote control attackers to execute arbitrary commands on these devices, attackers were found exploiting this flaw to download and execute the malicious payload on the Huawei routers and upload Satori botnet.

In the Satori attack, each bot is instructed to overflow goals with crafted UDP or TCP packets manually.
“The number of packets used for the flooding action and their corresponding parameters are transmitted from the C&C server,” researchers said. “Also, the C&C server can pass an individual IP for attack or a subnet using a subnet address and a number of valuable bits.”

Although the researchers observed a flurry of attacks worldwide against the Huawei HG532 devices, the most targeted countries are the USA, Italy, Germany, and Egypt.

Check Point researchers “discretely” disclosed the vulnerability to Huawei as soon as their findings were confirmed, on Friday and the company confirmed the vulnerability and issued an updated security notice to customers.
“An authenticated attacker could send malicious packets to port 37215 to launch attacks. A successful exploit could lead to the remote execution of arbitrary code,” Huawei said in its security advisory.

The company offered some mitigations that could circumvent or avoid the exploit also, which included using the built-in firewall function, changing the default credentials of their devices, and deploying a firewall at the carrier side.

Users can also deploy Huawei NGFWs (Next Era Firewall) or data middle firewalls, and upgrade their IPS personal data source to the latest IPS_H20011000_2017120100 version released on Dec 1, 2017, in order to detect and reduce the chances of this flaw.

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: