Malware Author Creates a Massive Botnet in One Day
Given the number of medium- to high-profile attacks that have occurred over the past few years, you are most likely familiar with the term DDoS (Distributed Denial of Service) which is a method of making a service unavailable by overwhelming it from multiple sources.
A term that you may be somewhat less familiar with is “botnet”.
A botnet is essentially a collection of devices, including PCs, mobile devices, servers and internet of things devices that are infected by a type of malware which then takes control of them, often without the users of the devices being aware.
Recently, an author of malware was able to create a massive botnet consisting of 18,000 routers and managed to accomplish this in one single day.
Only One Exploit Necessary
The existence of this botnet was confirmed by Qihoo 360 Netlab, Greynoise, and Rapid7 after it had initially been spotted by security researchers at NewSky Security.
According to data collected by Netlab’s NetScan sytem, scans for the vulnerability that had allowed for the netbot’s creation began on July 18. Surprisingly, the netbot was built by exploiting a single vulnerability in Huawei HG532 routers, tracked as CVE-2017-17215, exploited via port 37215.
According to Bleeping Computer, the author of the botnet reached out to NewSky security researcher Ankit Anubhay in order to brag about his accomplishment. The author even went so far as to share a list consisting of all of the victims affected by the botnet.
Created by a Known Hacker
Although the hacker identified himself by the pseudonym “Anarchy,” Anubhay believes it is quite possibly a hacker who previously operated under the name Wicked. Anarchy/ Wicked answered a number of queries from both Anubhay and Bleeping Computerm though he did not reveal any motivation that he might had had or desired outcome of creating the botnet.
Anubhay had previously interviewed Wicked on NewSky’s blog and Fortinet, and this may be the reason that Anarchy reached out to him to boast of his latest exploits.
Anarchy/ Wicked is well-known as a malware author, having in the past created variation of the Mirai IoT malware, which– along with their respective botnets– were known as Wicked, Omni, and Owari (Sora). These were used in various DdoS attacks.
Other Routers at Risk
While the creation of the botnet is obviously a concern, what is much more disconcerting is the ease and speed with which the deed was accomplished. Worst of all, this was not done through the discovery and exploitation of an unknown vulnerability, but rather through one that has been targeted before.
CVE-2017-17215 is a well-known exploit, and one that has been used on at least two occasions by versions of the Satori botnet, as well as a number of the smaller Mirai-based offshoots. One would normally expect that users would have patched devices by now, or that ISPs would have blocked incoming connections on port 37215, but that seems to not be the case.
Anarchy is not resting on his laurels.
Anubhay was told by the botnet author that he has plans to exploit CVE-2014-8361, a vulnerability in Realtek routers exploitable via port 52869. Testing has already started for the exploit, with Rapid7 and Greynoise confirming a large number of Realtek scans.
To protect all your data, contact Safe Harbour today!