Hundreds of thousands of attempts to exploit a recently discovered vulnerability in Huawei HG532 home routers have been observed over the past month, Check Point security researchers warn.
The attacks were trying to drop Satori, an updated variant of the notorious Mirai botnet that managed to wreak havoc in late 2016. Targeting port 37215 on Huawei HG532 devices, the assaults were observed all around the world, including the USA, Italy, Germany and Egypt, the researchers say.
Common to these incidents was the attempt to exploit CVE-2017-17215, a zero-day vulnerability in the Huawei home router residing in the fact that the TR-064 technical report standard, which was designed and intended for local network configuration, was exposed to WAN through port 37215 (UPnP – Universal Plug and Play).
The affected device supports a service type named `DeviceUpgrade`, which is supposedly carrying out firmware upgrade actions. By injecting shell meta-characters “$()” in two elements with which the upgrade is carried out, a remote administrator could execute arbitrary code on the affected devices.
By successfully exploiting the flaw, an attacker could download and execute a malicious payload onto the impacted devices. In this case, the payload was the Satori botnet, Check Point notes.
Huawei was informed on the vulnerability on November 27. Within days, the company published an advisory to confirm the vulnerability and inform users on available measures to circumvent or prevent the exploit: using the built-in firewall function, changing default passwords, deploying a firewall at the carrier side.
“The customers can deploy Huawei NGFWs (Next Generation Firewall) or data center firewalls, and upgrade the IPS signature database to the latest version IPS_H20011000_2017120100 released on December 1, 2017 to detect and defend against this vulnerability exploits initiated from the Internet.” Huawei notes.
In this Satori attack, each bot is used to flood targets with manually crafted UDP or TCP packets. The bot first attempts to resolve the IP address of a command and control (C&C) server using DNS request with the hardcoded domain name, then gets the addresses from the DNS response and tries to connect via TCP on the hardcoded target port (7645).
The C&C server provides the number of packets used for the flooding action and their corresponding parameters, and can also pass an individual IP for attack or a subnet.
The bot’s binary, the researchers discovered, contains a lot of unused text strings, supposedly inherited from another bot or a previous version.
A custom protocol is used for C&C communication, which includes two hardcoded requests to check in with the server, which in turn responds with the parameters for launching distributed denial of service attacks.
While analyzing the incident, which involved the use of a zero-day and numerous servers to attack Huawei devices, the security researchers discovered that the actor behind the Satori botnet might be using the online handle of NexusZeta.
They were able to track the actor’s activity across several hacking forums and also discovered that NexusZeta is active on social media, most notably Twitter and Github, and has Skype and SoundCloud accounts under the name of Caleb Wilson (caleb.wilson37 / Caleb Wilson 37), but couldn’t determine if this is the attacker’s real name.
Based on forum posts attributed to the actor, the researchers concluded that he isn’t an advanced actor, “but rather an amateur with lots of motivation, looking for the crowd’s wisdom.” What the security researchers couldn’t determine, however, was how the zero-day vulnerability arrived in the individual’s possession.
“Nonetheless, as seen in this case as well as others over the past year, it is clear that a combination of leaked malware code together with exploitable and poor IoT security, when used by unskilled hackers, can lead to disastrous results,” Check Point concludes.
Related: New Mirai Variant Emerges