Malware Author Builds 18,000-Strong Botnet in one day with one exploit
Target: Huawei, Realtek routers or other IoT devices.
Attack Vector: CVE-2017-17215 or CVE-2014-8361 allowing attacker to execute arbitrary code.
Summary: Researchers from NewSky Security have tracked the creation of a huge new botnet that amassed a large amount of victims in a very short time. The threat actor exploited a vulnerability in Huawei HG532 routers, CVE-2017-17215, in which an authenticated attacker could send malicious packets to port 37215 and launch attacks. This could lead to the remote execution of arbitrary code. In just 24 hrs the bot had amassed a massive 18,000 devices and the malware author has now launched a further targeted attack leveraging CVE-2014-8361, a vulnerability in Realtek routers exploitable via port 52869. If successful, an attacker can exploit this issue to execute arbitrary code with root privileges. This is still being tested according to researchers.
The threat actor claiming to have created this new bot uses pseudonyms Anarchy or Wicked and is a well-known malware author. Previous exploits seen used by this threat actor have been variations on the Mirai IoT malware, known as Wicked, Omni, and Owari (Sora). All have been used in DDoS attacks in the past.This attack came just a day before the UK Governments report into Huawei’s broadband and mobile infrastructure equipment concluded that it has “only limited assurance” that the equipment poses no threat to national security. This again shows Anarchy/ Wicked has looked to gain further kudos in the criminal fraternity by riding on the media wave of interest.
Analyst Comment: The threat is assessed as 3c MODERATE. If successful, this malware is capable of very powerful DDoS attacks and/ or delivery of other malware such as stealers, cryptomining software and other malicious payloads. The impact of a DDoS attack would be brand damaging and have severe financial implications for a target.
The use of the same exploit as the Satori and Brickerbot bots and other vulnerabilities against networked devices is further evidence the threat actor is experienced and looking to amass as many devices as possible before commencing attacks or hiring out the bot. Therefore, future attacks using this vector remain a significant risk. The actor has previously accomplished a number of successful IoT bot campaigns and is motivated by both kudos and financial gain, from with webstressor payments or renting out the botnet.
The potential for the growth of this botnet is also a significant cause for concern as the actor has shown dissatisfaction with the enormous grown of their bot in a small time period with one device targeted. They immediately begun exploiting a vulnerability against Realtek routers, possibly to try to work in the shadows as the initial increase in activity from the first attack drew attention. Therefore the likelihood of infection is raised with multiple IoT devices being targeted and possible lateral movement through networks