Researchers have identified a vulnerability in a Huawei home router model that is being exploited by an adversary to spread a variant of the Mirai malware called Mirai Okiru, also known as Satori.
Researchers at Check Point published a report Thursday, and said the flaw is in Huawei’s router model HG532. It said it is tracking hundreds of thousands of attempts to exploit the vulnerability in the wild.
Okiku/Satori was first identified by Check Point researchers on November 23. Leading up to the discovery, researchers said they had observed a flurry of attacks worldwide against Huawei HG532 devices, with the U.S., Italy, Germany and Egypt hit the hardest.
“As soon as the findings had been confirmed, the vulnerability was discretely disclosed to Huawei so as to mitigate further propagation,” researchers said.
On Friday, Huawei issued an updated security notice to customers warning of the vulnerability (CVE-2017-17215). It told customers the flaw allows a remote adversary to send malicious packets to port 37215 to execute remote code on vulnerable routers.
The Mirai botnet made headlines in October 2016, targeting DNS provider Dyn and the Krebs on Security website with massive DDoS attacks. The original Mirai malware exploited flaws found in the CCTV and DVR hardware that allowed a default Linux telnet credential to be used.
Since the Mirai source code became publicly available, many hackers have modified the code and expanded the number of Internet of Things devices compromised. Most have taken advantage of shoddy protections around connected devices and embedded systems.
In the case of Mirai Okiru/Satori, Check Point researchers suspected an inexperienced hacker that goes by “Nexus Zeta” is behind the attacks.
“The identity of the attacker was initially a mystery, with speculations running from advanced nation state perpetrators to notorious threat gangs,” researchers said.
“Eventually, we arrived at our main suspect; a threat actor under the nickname ‘Nexus Zeta’, who was found thanks to the email address used to register a C&C domain belonging to the botnet – nexusiotsolutions[.]net,” they said.
Researchers then cross-referenced the email addressed used for the domain registration with an email address used on the popular hacker forum called HackForums.
“Although he is rarely active in such forums, the few posts he does make disclose an amateur actor, though interesting his most recent focus was on an initiative to establish a Mirai-like IoT botnet,” researchers said.
One of Nexus Zeta’s post prior to the Huawei attacks was:
“hello, im looking for someone to help me compile the mirai botnet, i heard all you have to do is compile it and you have access to 1 terabit per second so please help me setup a mirai tel-net botnet”.
The Mirai Okiru/Satori attacks differs from previous Mirai variants in that they don’t rely on brute-force telnet-based attacks. Instead, the new variant runs attacks over port 37215 exploiting the previously unknown CVE-2017-17215 vulnerability in Huawei HG532 devices.
The attack involves a command injection, where the malicious payload is downloaded and executed on the Huawei router, researchers said.
The flaw is tied to the router’s use of the Universal Plug and Play (UPnP) protocol and the TR-064 technical report standard. TR-064 is a standard designed to make it easy to add embedded UPnP devices to a local network.
“In this case though, the TR-064 implementation in the Huawei devices was exposed to WAN through port 37215 (UPnP),” researchers wrote. The UPnP framework supports a “DeviceUpgrade” that can carry out a firmware upgrade action.
The vulnerability allows remote administrators to execute arbitrary commands by injecting shell meta-characters into the DeviceUpgrade process.
“After these have been executed, the exploit returns the default HUAWEIUPNP message, and the ‘upgrade’ is initiated,” researchers wrote.
The payload’s main purpose is to instruct the bot to flood targets with manually crafted UDP or TCP packets.
“The number of packets used for the flooding action and their corresponding parameters are transmitted from the C&C server. Also, the C&C server can pass an individual IP for attack or a subnet using a subnet address and a number of valuable bits,” researchers said.
According to Huawei, mitigation against attack includes configuring the router’s built-in firewall, changing the default password or using firewall at the carrier side.
Check Point said it’s still unclear how the vulnerability it discovered found its way to Nexus Zeta’s possession.
“As seen in this case as well as others over the past year, it is clear that a combination of leaked malware code together with exploitable and poor IoT security, when used by unskilled hackers, can lead to disastrous results,” Check Point said.