Cases that span more than a year together may give us new ideas - 'zombies' are coming and hard to stop.
In late 2017, U.S. justice authorities announced the condemnation of the creators of the Mirai botnet that created the 'Great Eastern United Network', the world's first IoT attack that wreaked havoc in the eastern United States in 2016 once again drawing the attention of people.
In fact, Leifengwang had previously warned that the large botnets subsequently monitored by security researchers were much larger than Mirai's 'zombie army', such as the 'Satori' botnet, which is much larger than Mirai. " Infected more than 260,000 IP addresses within 12 hours and controlled hundreds of thousands of home routers with the newly discovered command execution vulnerability of Huawei HG532 series routers, CVE-2017-17215 (for details, see Lei Feng Web site reports "huge botnet Satori directed at a Chinese brand router, the author's identity was disclosed").
But this is only the tip of the iceberg, now seemingly controlled behind the 'Satori' there are more hidden dangers and potential risks.Leifengwang and 360 Institute of Cybersecurity researcher Li Fengpei get in touch, trying to explore this more hidden 'zombie' world.
1, 'Satori' why is aimed at Huawei router, what implied?
Li Fengpei: Now that Satori has 260,000 active hours in 12 hours, we estimate the overall size should be around 600,000 routers, which is a nuclear-level botnet.
Satori inherited a large number of Mirai's original code, the main structure is very similar with Mirai, but the means of infection and infected objects have changed, as to why Huawei routers, rather than other routers .In my opinion, the attacker should conduct a variety of infection Attempts to hit a hole that took so many bugs and hit the millions of bases quickly hired 600,000 zombies and mostly home routers.
2, we should blame device manufacturers 'not as' it?
Li Fengpei: This involves the supply chain, saying that equipment suppliers do not work for safety is not objective. New cameras will have security measures and they are actually actively seeking ways to make the equipment safer.
Difficult to deal with problems - have been released to the device they already exist online, the number of millions, if you find any device model problems, manufacturers are also difficult to control.For example, this thing sold to country A, C The country did not sell it to country B, but found that this equipment is very large in country B - because the sales management channel will be changed, which is beyond the control of the manufacturer. It may not be able to find a person to inform and handle it.
After the sale, some have been out of control .Why domestic is better? Domestic often is industry procurement, for example, expressway management agencies will focus on purchasing a batch, if a problem, find someone .As long as there is management, This is why China uses a lot of cameras, but it sounds as if it has been attacked so badly because they have done their job, and whether or not they have tried their best to meet the expectations of the community is yet to be seen. Judgment, we do not say ill people.
3, Some IoT reports that routers, cameras and printers are the most potential security threats to the Internet of Things. What do you think?
Li Fengpei: printers exposed outside the network a little less.We are not from the loopholes, the loopholes are potential threats, we see has actually happened, has been the actual use of the device.I particularly want to say, pay attention to the home router. The confession referred to by the Ministry said that when the three criminals at Mirai injected a loophole in December 2016, the infected device was a domestic router, not a camera.
The core reason is the router exposed surface in the network is large enough, the router must have a public address, can be swept outside, it is decisive. In addition to the decisive one, the known unknown loopholes in the stock device, there are some unknown vulnerabilities, Old, are also the reason.
Your home printer will not directly have a public address, camera, router has a public address .We want to remind everyone that the actual problem with the home router is much more serious than the camera.And the home router really out of the question, You may not even realize that as long as you have access to the Internet, individuals do not realize that the router is under control.
From home users, if you slow down, you may restart the router, and you're fine.An attacker is planting a large area at a fraction of the cost and he's not too concerned about hiding his whereabouts at the infected device.
4, Satori things now considered the perfect solution?
Li Fengpei: Satori's impact is really big .In 12 hours infected 260,000, after the report is sent to many other security companies have confirmed that we see the number .Everyone saw how the botnet so big. ISP, operations Business, DNS Operators They worked spontaneously and took two days to take over the console's domain name and IP address from the botnet controllers.
This is not a perfect solution: they can take over the hosting of domain names and IP address masters, which can significantly slow botnet evolution; however, device vulnerabilities still exist and some already know how to do it again in a covert manner .
5, scan again, do a (control) domain name on the line?
Li Fengpei: Yes, the cost is very low.
6, then how to play? Knocked one out and grow one.
Li Fengpei: Yes, these measures in cyberspace can curb the slowdown of this threat. For example, the attacker will not swept the next big sweep, sweeping 260,000 devices in the previous 12 hours. Maybe we can take some measures and then later lower it 260,000 units will be swept away by 12 days, but that's all. To solve this problem in the final analysis, we need a 'physical' crackdown by law enforcement agencies and the suspects in prison.
Deal with the thief, you can use the aforementioned network security space to solve the way, but to deal with the real Jiang Yang thieves, can only rely on law enforcement agencies. Foreign bank agencies will be more concerned about this matter, you just attack me once, I will get you Go to jail or there are countless others behind me, even if you did not attack me directly, you attacked my clients.
Conclusion
If you have paid close attention to the progress of the command execution vulnerability of Huawei HG532 series router CVE-2017-17215, you will find a few days ago that China Security Bulldog TK said on Weibo: 'About Huawei HG532 Remote Command Execution Vulnerability (CVE-2017 -17215), all related articles that manufacturers have provided a patch - students writing articles, you really see the patch? 'Subsequently, he said, Huawei HG532 series routers command execution vulnerability CVE-2017-17215 may More dangerous than most of today's. The port exploiting this vulnerability is only accessible on the intranet by default and can be exploited remotely via CSRF.
This means that even though Satori seems to be silent under the existing joint strangulation, things are far from over - whether it is the 'Satori' that Li-Pei-Pei says can be easily reshaped or the vulnerability discovered by TK et al. New forms of use can trigger new threats.
Zombie world, look endless.
But there is still hope, as Li Fengpei said the case of the "revenge" financial industry - the botnet attack the financial industry is the real loss of gold and silver, so financial institutions will fight back, with offline Strike, give such attackers a deterrent.
Will the victims of other industries, security practitioners and law enforcement agencies 'catch up after the end?'
We wait for this answer.
