Crucial Part of Satori Botnet Goes Online Free of Charge
The malicious code for exploiting a recent vulnerability in a specific Huawei router model wove its way to the Internet for free in late-December. The exploit, which targeted the CVE-2017-17215 zero-day vulnerability found in the company's HG532 routers in late-November by CheckPoint, is an integral part of the Satori malware, an offshoot of the Mirai botnet pandemic. Now at large on Pastebin, the code looks poised to wreak further havoc in the hands of a potentially higher number of malware actors willing to ride on Satori's success.
How the Infection Came to Be
It was not until November 27, 2017, when Check Point's researchers warned the Chinese ICT giant of a security hole found in its Huawei HG532 home routers. Dubbed CVE-2017-1725, the vulnerability could potentially allow for remote code execution. Huawei's ensuing examination not only corroborated the existence of this flaw but also identified a malicious attack which exploited the then-unknown vulnerability by sending various packets via port 37215. In spite of the swift reaction of Huawei's security specialists, who fixed the flaw by putting out a new version of their Intrusion Prevention System (IPS) database on Dec. 1, 2017, customers who have yet to upgrade the IPS and take the additional recommended measures remain exposed to the threat.
Yet Another Host
In addition to Satori, the leaked exploit appears to have had a different host in the face of the infamous BrickerBot, too. Created by an actor known as the Janitor, BrickerBot went on to render 10 million-plus IoT devices useless before ceasing operations shortly before the Christmas holidays. Individual bits and pieces of its source code, however, were made available on the Web for free. Following analysis, NewSky Security's researchers found hard evidence that BrickerBot had also exploited the CVE-2017-17215 vulnerability way before it assigned publicly in the dictionary of Common Vulnerabilities and Exposures. As it turns out, both Satori and BrickerBot utilized the same command injection. However, it is this injection in particular that is targeting the CVE-2017-17215 flaw. So, if this malicious exploit was successfully integrated into two massive botnet attacks prior to becoming available for free, it may find new botnet hosts along the way, or even evolve into a more complex tool in the hands of experienced malware actors.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.