2 months ago

Satori IoT Botnet Exploits Zero-Day to Zombify Huawei Routers


Although the original creators of the infamous IoT malware Mirai have already been arrested along with sent to jail, the variants of the notorious botnet are still within the game due to the availability of its source code on the Internet.

Hackers have widely used the infamous IoT malware to quietly amass an army of unsecured internet-of-things devices, including home along with office routers, that will could be used at any time by hackers to launch Internet-paralyzing DDoS attacks.

Another variant of Mirai has hit Once more, propagating rapidly by exploiting a zero-day vulnerability in a Huawei home router type.

Dubbed Satori (also known as Okiku), the Mirai variant has been targeting Huawei’s router type HG532, as Check Point security researchers said they tracked hundreds of thousands of attempts to exploit a vulnerability within the router type within the wild.

Identified initially by Check Point researchers late November, Satori was found infecting more than 200,000 IP addresses in just 12 hours earlier This specific month, according to an analysis posted by Chinese security firm 360 Netlab on December 5.

Researchers suspected an unskilled hacker that will goes by the name “Nexus Zeta” can be exploiting a zero-day remote code execution vulnerability (CVE-2017-17215) in Huawei HG532 devices, according to a brand-new report published Thursday by Check Point.


The vulnerability can be due to the fact that will the implementation of the TR-064 (technical report standard), an application layer protocol for remote management, within the Huawei devices was exposed on the public Internet through Universal Plug along with Play (UPnP) protocol at port 37215.

“TR-064 was designed along with intended for local network configuration,” the report reads. “For example, the item allows an engineer to implement basic device configuration, firmware upgrades along with more coming from within the internal network.”

Since This specific vulnerability allowed remote attackers to execute arbitrary commands to the device, attackers were found exploiting This specific flaw to download along with execute the malicious payload on the Huawei routers along with upload Satori botnet.

within the Satori attack, each bot can be instructed to flood targets with manually crafted UDP or TCP packets.

“The number of packets used for the flooding action along with their corresponding parameters are transmitted coming from the C&C server,” researchers said. “Also, the C&C server can pass an individual IP for attack or a subnet using a subnet address along with several valuable bits.”

Although the researchers observed a flurry of attacks worldwide against the Huawei HG532 devices, the most targeted countries include the United States, Italy, Germany, along with Egypt.

Check Point researchers “discretely” disclosed the vulnerability to Huawei as soon as their findings were confirmed, along with the company confirmed the vulnerability along with issued an updated security notice to customers on Friday.

“An authenticated attacker could send malicious packets to port 37215 to launch attacks. Successful exploit could lead to the remote execution of arbitrary code,” Huawei said in its security advisory.

The company also offered some mitigations that will could circumvent or prevent the exploit, which included using the built-in firewall function, changing the default credentials of their devices, along with deploying a firewall at the carrier side.

Users can also deploy Huawei NGFWs (Next Generation Firewall) or data center firewalls, along with upgrade their IPS signature database to the latest IPS_H20011000_2017120100 type released on December 1, 2017, in order to detect along with defend against This specific flaw.

Article Categories:
Security Hacks

Leave a Comment

Your email address will not be published. Required fields are marked *

nineteen + nineteen =