Before Christmas, the Mirai botnet made the headlines once again, a new variant dubbed Satori was responsible for hundreds of thousands of attempts to exploit a recently discovered vulnerability in Huawei HG532 home routers.
The activity of the Satori botnet has been observed over the past month by researchers from Check Point security.
Satori is an updated variant of the notorious Mirai botnet that was first spotted by the malware researchers MalwareMustDie in August 2016. The malicious code was developed to target IoT devices, the Satori version targets port 37215 on Huawei HG532 devices.
The attacks against Huawei HG532 devices were observed in several countries, including the USA, Italy, Germany, and Egypt.
Experts observed that attacks attempt to exploit the CVE-2017-17215 zero-day vulnerability in the Huawei home router residing in the fact that the TR-064 technical report standard, which was designed for local network configuration, was exposed to WAN through port 37215 (UPnP – Universal Plug and Play).
News of the day is that the code used to target the Huawei routers over the past several weeks is now publicly available.
The discovery was made by Ankit Anubhav, a researcher at security firm NewSky.
Anubhav first discovered the code on Pastebin.com early this week.
“NewSky Security observed that a known threat actor released working code for Huawei vulnerability CVE-2017–17215 free of charge on Pastebin this Christmas. This exploit has already been weaponized in two distinct IoT botnet attacks, namely Satori and Brickerbot.” states a blog post published by Anubhav.
The exploit code for the CVE- 2017-17215 was used by a hacker identified as “Nexus Zeta” to spread the Satori bot (aka Okiku).
The availability of the code online represents a serious risk, it could become a commodity in the criminal underground, vxers could use it to build their botnet.
Satori isn’t the only botnet leveraging the CVE-2017-17215 exploit code, earlier in December, the author of the Brickerbot botnet that goes online with the moniker “Janitor” released a dump which contained snippets of Brickerbot source code.
NewSky Security analyzing the code discovered the usage of the exploit code CVE-2017–17215, this means that the code was available in the underground for a long.
“Let us compare this with a binary of Satori botnet (in the image below). Not only we see the same attack vector i.e. code injection in <NewStatusURL>, but also, we witness the other indicator “echo HUAWEIUPNP“ string, implying that both Satori and Brickerbot had copied the exploit source code from the same source.” continues NewSky.
This is not the first time that IoT botnets leverage issues related to the SOAP protocol. Earlier this year, security experts observed several Mirai-based botnets using two other SOAP bugs (CVE-2014–8361 and TR-64) which are code injections in <NewInternalClient> and <NewNTPServer> respectively.
Back to the present, Huawei provided a list of mitigation actions for this last wave of attacks that includes configuring a router’s built-in firewall, changing the default password or using a firewall at the carrier side.
I avoided to provide the link to the code published on Pastebin, but it is very easy to find it with the proper query.
(Security Affairs – Satori Botnet, CVE-2017-17215)