Post Now

Satori a New Variant of Mirai Botnet Exploits Zero Day Vulnerability Found in Huawei Devices

Image

A new variant Mirai botnet named Satori has been found exploiting a vulnerability in Huawei home routers.

A new variant Mirai botnet named Satori has been found exploiting a vulnerability in Huawei home routers.Checkpoint Researchers have discovered a zero-day vulnerability (CVE-2017-17215)  in Huawei HG532 home routers, and hundreds of thousands of attempts to exploit it have already been found in the wild.According to the researchers, the attacker behind the attack goes by the name ‘Nexus Zeta.’Researchers found that TR-064 ( Technical report standard) implementation in the Huawei devices allowed remote attackers to execute arbitrary commands to the device.TR-064 is application layer protocol which is used to implement basic device configuration,  firmware upgrades, etc from within the internal network.Attackers used this flaw to download and execute malicious payload on Huawei routers“From looking into the UPnP description of the device, it can be seen that it supports a service type named `DeviceUpgrade`. This service is supposedly carrying out a firmware upgrade action by sending a request to “/ctrlt/DeviceUpgrade_1” (referred to as controlURL ) and is carried out with two elements  named `NewStatusURL` and `NewDownloadURL`.”“The vulnerability allows remote administrators to execute arbitrary commands by injecting shell meta-characters “$()” in the NewStatusURL and NewDownloadURL” said in the blog post published by Checkpoint.Here the bot tries to flood targets with manually crafted UDP or TCP packets. At first, the bot tries to resolve the IP address of a C&C server using DNS request with the hardcoded domain name. Then it takes the address from the DNS response and tries to connect the hardcoded target port (7645) using TCP protocol.To communicate with the C&C server, the bot uses its own custom protocol which includes two hardcore protocols to check in with the server, and it responds with the DDoS attack parameters.The vulnerability was reported to Huawei on November 27 and company published a security advisory containing the recommendation to prevent the exploitation of flaw which is given below:

  1. Configure the built-in firewall function.
  2. Change the default password.
  3. Deploy a firewall at the carrier side.
The customers can deploy Huawei NGFWs (Next Generation Firewall) or data center firewalls, and upgrade the IPS signature database to the latest version IPS_H20011000_2017120100 released on December 1, 2017 to detect and defend against this vulnerability exploits initiated from the Internet” said in the security advisory published by the company.