NewSky Security first reported the born a new huge botnet, in just one day the botmaster compromised more than 18,000 Huawei routers.
NewSky security researcher Ankit Anubhav announced that the botnet had already infected 18,000 routers. The disconcerting aspect of the story is that the hacker gathered a so huge number of devices in a limited period of time, without using any zero-day issue.
We were tracking this botnet yesterday, the claimed 18000+ huawai router number is probably inflated, as we were able to take a peek at the file which highly likely stored the infected ips, the total count was 10901. and attached is the graphic of the C2 for this botnet, big one. https://t.co/gQBStREpCI
— 360 Netlab (@360Netlab) July 19, 2018
The Wicked Mirai botnet was first spotted by researchers at Fortinet, and Anubhav published on the NewSky’s blog and interview with the hacker.
Wicked/Anarchy is believed to be the threat actor behind other Mirai variants, including, Omni, and Owari (Sora).
As explained at the beginning of this post, Anarchy did not use any specific exploit to gather tens of thousands of devices in a few hours. The CVE-2017-17215 is a well-known vulnerability that was used by many other botnets, including the Mirai Satori, to gather zombies.
The CVE-2017-17215 zero-day vulnerability in the Huawei home router residing in the fact that the TR-064 technical report standard, which was designed for local network configuration, was exposed to WAN through port 37215 (UPnP – Universal Plug and Play).
The exploit code used to target the Huawei routers is publicly available, in December Ankit Anubhav discovered it on Pastebin.com..
“NewSky Security observed that a known threat actor released working code for Huawei vulnerability CVE-2017–17215 free of charge on Pastebin this Christmas. This exploit has already been weaponized in two distinct IoT botnet attacks, namely Satori and Brickerbot.” stated a blog post published by Anubhav.
At the time, the exploit code for the CVE- 2017-17215 was used by a hacker identified as “Nexus Zeta” to spread the Satori bot (aka Okiku).
The availability of the code online represents a serious risk, it could become a commodity in the criminal underground, vxers could use it to build their botnet.
Satori isn’t the only botnet leveraging the CVE-2017-17215 exploit code, earlier in December, the author of the Brickerbot botnet that goes online with the moniker “Janitor” released a dump which contained snippets of Brickerbot source code.
NewSky Security analyzed the code and discovered the usage of the exploit code CVE-2017–17215, this means that the code was available in the underground for a long.
“Testing has already started for the Realtek exploit during the night,” Anubhav told Bleeping Computer in a private conversation today. [Update: Both Rapid7 and Greynoise are confirming that scans for Realtek have gone through the roof today.]
Below the md5 and the C&C associated with the threat:
The attacker Anarchy has shared a list of infected victim IPs which at that point, I am not making public for obvious reasons. The bin in his botnet md5 >
As one can see, it uses only 1 exploit, 2017-17215. 2/n pic.twitter.com/F5BNNbf3bM
— Ankit Anubhav (@ankit_anubhav) July 18, 2018
— SMII Mondher (@smii_mondher) July 19, 2018