Malware Author Builds 18,000-Strong Botnet in one day with one exploit
Target: Huawei, Realtek routers or other IoT devices.
Attack Vector: CVE-2017-17215 or CVE-2014-8361 allowing attacker to execute arbitrary code.
Summary: Researchers from NewSky Security have tracked the creation of a huge new botnet that amassed a large amount of victims in a very short time. The threat actor exploited a vulnerability in Huawei HG532 routers, CVE-2017-17215, in which an authenticated attacker could send malicious packets to port 37215 and launch attacks. This could lead to the remote execution of arbitrary code. In just 24 hrs the bot had amassed a massive 18,000 devices and the malware author has now launched a further targeted attack leveraging CVE-2014-8361, a vulnerability in Realtek routers exploitable via port 52869. If successful, an attacker can exploit this issue to execute arbitrary code with root privileges. This is still being tested according to researchers.
The threat actor claiming to have created this new bot uses pseudonyms Anarchy or Wicked and is a well-known malware author. Previous exploits seen used by this threat actor have been variations on the Mirai IoT malware, known as Wicked, Omni, and Owari (Sora). All have been used in DDoS attacks in the past.This attack came just a day before the UK Governments report into Huawei’s broadband and mobile infrastructure equipment concluded that it has “only limited assurance” that the equipment poses no threat to national security. This again shows Anarchy/ Wicked has looked to gain further kudos in the criminal fraternity by riding on the media wave of interest.
Analyst Comment: The threat is assessed as 3c MODERATE. If successful, this malware is capable of very powerful DDoS attacks and/ or delivery of other malware such as stealers, cryptomining software and other malicious payloads. The impact of a DDoS attack would be brand damaging and have severe financial implications for a target.
The use of the same exploit as the Satori and Brickerbot bots and other vulnerabilities against networked devices is further evidence the threat actor is experienced and looking to amass as many devices as possible before commencing attacks or hiring out the bot. Therefore, future attacks using this vector remain a significant risk. The actor has previously accomplished a number of successful IoT bot campaigns and is motivated by both kudos and financial gain, from with webstressor payments or renting out the botnet.
The potential for the growth of this botnet is also a significant cause for concern as the actor has shown dissatisfaction with the enormous grown of their bot in a small time period with one device targeted. They immediately begun exploiting a vulnerability against Realtek routers, possibly to try to work in the shadows as the initial increase in activity from the first attack drew attention. Therefore the likelihood of infection is raised with multiple IoT devices being targeted and possible lateral movement through networks
Hide ‘N’ Seek IoT Botnet Gains Persistence
Target: IoT Devices
Attack Vector: Telnet connection or brute-force dictionary attack
Summary: Researchers at Bit Defender have discovered the first instance of an IoT botnet malware strain that has gained persistence on devices, even after the devices are rebooted following the initial compromise. The Hide ‘N’ Seek botnet has been in development since first observed in the wild in January 2017. It has been developed by the actors and now has this capability along with P2P communications. If this development can be exploited further, it could drastically alter the war on malware, as it could open up the floodgates for targeted attacks on IoT devices, which, in certain circumstances, could be vulnerable to infection. It is estimated that there will be some 31 billion connected IoT devices as of 2018
Risk assessment summary: The threat is assessed as 3c MODERATE. This malware and its use of the same exploit as Reaper and other vulnerabilities against networked devices, is likely to be developed further and weaponised by threat actors. Further attacks using this vector remain a significant risk factor. The malware has already undergone a number of upgrades and now allows lateral movement through a Telnet port to infect further devices and gain persistence in doing so under certain circumstances. The potential for the growth of this botnet is also a significant cause for concern. If it can be further developed and weaponised, it could have a significant effect on IoT and networked devices
MyKings/Smominru botnet multi-purpose botnet activity detected
Target: Systems which have not patched relevant vulnerabilities, (CVE’s 2017-0144 & 2017-0176)
Attack Vector: Exploitation of request handling and buffer overflow to allow cryptomining software distribution
Summary: Since April 2017, MyKings botnet has been active in a number of fields. MyKings stands out from a typical botnet in that it consists of a range of sub-botnets. Over the past 10 months, it appears to have has been utilized for a variety of malicious activities.
Recently the malware has been observed using cryptomining as a new attack vector. This involves threat actors using malicious exploits which then allow compromised machines to mine for cryptocurrency on their behalf. While the primary focus of the operation has been cryptomining, several other attack vectors have also been deployed. As of the end of January 2018, the botnet has allowed the threat actors to mine between $2.8M and $3.6M of Monero cryptocurrency. Such a healthy profit could be reinvested by the threat actors, allowing them to develop further botnets which could be used to generate larger scale attacks, to carry out further research on new vulnerabilities or simply using their large budget to purchase new credentials and tools from underground markets to facilitate further attacks.
Risk assessment summary: The threat is assessed as 3d MODERATE. There is a clear threat and it has been observed that this type of attack is on an upward trend, with the botnet being used effectively for a range of activities, as well as now cryptomining. This can be observed by the large amounts of currency which have been obtained. There have been recent cases of the attack vector actually stalling business operations for days and weeks at a time. Yet it should be noted that the vulnerabilities which are being exploited are not new flaws, and have patches available, meaning that the amount of vulnerable machines is always decreasing. As well as this, companies can restrict their susceptibility to this attack by configuring ports correctly. Despite this, the botnet holds a certain level of risk, as it has been exploited in the wild.