Internet based attacks are not new. It is an ongoing battle that seems to have no end. Mirai malware and variants have been used to attack hundreds of thousands of router all over the world. There is a Mirai variant dubbed as Satori had done that recently and has targeted Huawei routers. Here is where it gets interesting; source code of the exploit used in this recent Satori attack has been made public. Who in their right mind would make this code public? This would easily mean that it can be used to deliver more DDoS attacks via botnets such as IOTrooper, Reaper and other variants.
The code has been made public last Monday on Pastebin.com and was identified by Ankit Anubhav who is a researcher at NewSky Security. It has been identified as a zero-day vulnerability CVE-2017-17215 used by a hacker named “Nexus Zeta”. He wanted to spread the Mirai variant called Satori which is also known as Mirai Okiru.
Having this source code made public means that more hackers would be using it. May it be the whole code or part of it can be used to make a much more potent release. It would become a commodity which IoT botnet developers will be adding up to their cookbooks of deadly code. This arsenal of deadly code can pack a deadly punch and paralyze or take down something huge.
Last week, Check Point identified the vulnerability (CVE-2017-17215) in a Huawei home router model HG532 that was being exploited by Nexus Zeta to spread the Mirai variant Okiku/Satori. Since then Huawei issued an updated security notice to customers warning the flaw allows a remote adversary to send malicious packets to port 37215 to execute remote code on vulnerable routers.
White Hat and Black Hat hackers have known this code and other exploits have been released free to the public beforehand. Expect malicious scripts to be made by hobbyists, enthusiasts, newbies and even professionals to whatever shape or form they want it utilized. NewSky Security posted a blog Thursday outlining its discovery of the zero-day code.
The underlying cause was a bug related to SOAP, a protocol used by many IoT devices, Anubhav said. Earlier issues in SOAP (CVE-2014-8361 and TR-064 ) effected different vendors and was widely used by Mirai variants.
Although CVE-2017-17215 zero day exploits shows how the Huawei router use of the Universal Plug and Play (UPnP) protocol and the capitalizes on TR-064 technical report standard. What is TR-064 you ask? TR-064 is a standard designed to make it easy to add embedded UPnP devices to a local network.
WAN port 37215 (UPnP) is exposed to through the implementation of TR-064, the Huawei devices gets compromised. The UPnP framework supports a “DeviceUpgrade” which in turn can carry out a firmware upgrade.
The vulnerability allows remote administrators to execute arbitrary commands by injecting shell meta-characters into the DeviceUpgrade process.
“After these have been executed, the exploit returns the default HUAWEIUPNP message, and the ‘upgrade’ is initiated,” Check Point researchers wrote.
So what happens to the device? Basically a payload is unleashed. It contains instructions for the bot to flood designated targets with TCP or UDP packets.
Believe it or not, major botnets have already used the exploit code namely Brickerbot and Satori. For sure, other botnets, variants and strains are soon to follow their lead.
As per Huawei, mitigating against attacks would mean that the administrators would have to change the default passwords to something stronger, configure its firewall or using firewall at the carrier side.
What does this mean to regular users? Well, to put it simply is this.. most home users would not be aware that it had happened to them and they would still stay vulnerable. Router manufacturers should have the utmost security measures and up to date patches every time threats like this comes up. Otherwise, the threat would just not go away at all.