The exploit code known as Satori, used in Mirai malware, has been used to attack thousands of Huawei routers in the past few weeks and the researchers warn that the code will soon become a commodity and go through the botnet Such as Reaper or IOTrooper) play a role in DDoS attacks.
Ankit Anubhav, a researcher from NewSky Security, confirmed on Pastebin.com's public release code this week that a hacker named 'Nexus Zeta' used the zero-day vulnerability CVE-2017-17215 to spread A variant of Mirai's malware, called Satori, also known as Mirai Okiru.
Attack code has been used by two major IoT botnets, Brickerbot and Satori, and the code is now publicly available and will be integrated into different botnets.
This attack has been attacked by two different IoT botnets, Satori and Brickerbot.
'The code being made public means more hackers are using it, and now the attacks have become commoditized and are being added to their arsenal by attackers,' said Maya Horowitz, manager of Check Point threat intelligence.
Last week, Check Point discovered a vulnerability in Huawei's home router HG532 (CVE-2017-17215), which was exploited by Nexus Zeta to spread the Mirai Okiru / Satori variant of Mirai. Subsequently, Huawei released an updated security notification to customers , Warned that the vulnerability allows remote attackers to send malicious packets to port 37215 and execute remote code on the vulnerable router.
'This code is now known by a variety of Black Hat, just as the SOAP vulnerabilities previously released to the public free of charge are used by hackers of all kinds,' said Anubhav, NewSky Security on Thursday publishing a blog outlining it Find zero-day code situation.
The root cause is a SOAP-related bug, which is a protocol used by many IoT devices, Anubhav said. The earlier problems with SOAP (CVE-2014-8361 and TR-064) affected different vendors and were widely varied by Mirai use.
In the case of CVE-2017-17215, this zero-day take advantage of HUAWEI routers using Universal Plug and Play (UPnP) protocol and TR-064 technical reporting standards. TR-064 is a standard that can be easily embedded UPnP devices are added to the local network.
The researchers wrote: 'In this case, the TR-064 implementation of the Huawei device was exposed to the WAN via port 37215 (UPnP) The UPnP framework supports' DeviceUpgrade' which performs firmware upgrades.
The vulnerability allows remote administrators to execute arbitrary commands by injecting shell metacharacters in the DeviceUpgrade process.
Researchers at Check Point wrote: 'After performing these operations, the attack returns the default HUAWEIUPNP message and initiates an' upgrade '.
The main purpose of the payload is to instruct the robot to use manual UDP or TCP packets to attack.
Huawei said mitigation measures include configuring the router's built-in firewall, changing the default password, or using a firewall at the carrier's site.
'Please be aware that this router is mainly home users and they usually do not log in to their router's interfaces and I have to assume that most devices will not be defensive.' 'Horowitz said.' We urgently need Internet of Things devices Manufacturers make safety a top priority, not to the user. '
