Botnet Goes after Routers

Tuesday, December 26, 2017 @ 02:12 PM gHale


There is a vulnerability in Huawei HG532 home routers and it appears attackers are trying to deposit a botnet in an effort to leverage the hole, researchers said.

The attacks were trying to drop Satori, an updated variant of the Mirai botnet that broke out late last year, said researchers at Check Point.

RELATED STORIES
IoT Botnet Hacks Websites
Global Effort to Dismantle Botnet
Botnet DDoS Attacks Grow in Q3: Report
More Internet DoS Attacks Than Thought

Targeting port 37215 on Huawei HG532 devices, the assaults ended up discovered in the United States, Italy, Germany and Egypt, in addition to other parts of the world, researchers said.

The goal behind the attack was to take advantage of CVE-2017-17215, a Zero Day vulnerability in the Huawei home router.

The affected device supports a service type named `DeviceUpgrade`, which is supposedly carrying out firmware upgrade actions, researchers said in a post.

By injecting shell meta-characters “$()” in two elements with which the upgrade is carried out, a remote administrator could execute arbitrary code on the affected devices, researchers said.
An attacker could download and execute a malicious payload onto the impacted devices. In this case, the payload was the Satori botnet, Check Point researchers said.

Researchers told Huawei about the issue November 27 and within days, the company published an advisory to confirm the vulnerability and inform users on measures to prevent the exploit. They said users should use the built-in firewall function, change default passwords and deploy a firewall at the carrier side.

In this Satori attack, each bot floods targets with manually crafted UDP or TCP packets. The bot first attempts to resolve the IP address of a command and control (C&C) server using DNS request with the hardcoded domain name, then gets the addresses from the DNS response and tries to connect via TCP on the hardcoded target port (7645).

The C&C server provides the number of packets used for the flooding action and their corresponding parameters, and can also pass an individual IP for attack or a subnet.

The bot’s binary contains unused text strings, supposedly inherited from another bot or a previous version, researchers said.

A custom protocol ends up used for C&C communication, which includes two hardcoded requests to check in with the server, which in turn responds with the parameters for launching distributed denial of service attacks.



Leave a Reply

You must be logged in to post a comment.