Security researchers the BCMUPnP_Hunter botnet which appears to be specifically targeted against IoT devices. It targets a five-year old vulnerability which appears to be left unpatched by many devices. Since is launch it has since infected about 100,000 IoT devices.
The Bcmupnp_Hunter Botnet Shows How Unpatched IoT Devices Can Easily Be Taken
A security team published a report giving details on a new IoT botnet called Bcmupnp_Hunter which uses a five-year old exploit. This once again confirms that both users and in some cases device vendors and manufacturers do not release updates to fix such issues in due time. The first attacks were reported back in September and quickly spread to devices worldwide. We remind our readers that thebotnet activity in 2018 shows that there is an increased distribution of RATs. A shift in the strategy can turn this into a very dangerous malware distribution device.
The actual bug through which the infections are carried out was discovered back in 2013 and is part of the UpNP specifications. This protocol is used to configure and access the IoT devices from the internal network. It appears that many vendors have implemented the Broadcom SDK stack without applying all the latest patches which fix the known issues. As a result malicious users can execute code remotely without being authenticated to the devices. This is categorized as a critical vulnerability as it allows any malicious user with access to information about the SDK issue to gain control of the systems with only a few commands.
The mechanism of operation is basic — once engaged the botnet will scan whole ranges of networks as loaded by the hacker operators. They will scan the exposed UPnP port number: 5431 for an available service. If such is detected the vulnerability will be launched and using the exploit code the botnet will automatically acquire control of the victim device. So far the majority of victims are located in India, the USA and China.
The security analysis performed upon the Bcmupnp_Hunter botnet shows that this particular threat seems to have a complex and multi-stage infection mechanism. It is exhibited in the fact that not only the devices are infected, but also that they are immediately recruited onto the botnet. The experts also discovered a secondary function — to use the infected devices as proxy nodes and relay connections.
It is expected that the botnet will continue recruiting nodes as long as there are vulnerable devices. They are extremely useful when orchestrating DDoS (distributed denial-of-service attacks) against government or corporate targets. They can be rented out to individual hackers or criminal collectives or used by their operators for other uses.