A new botnet has been detected by security researchers at NewSky security, with their discovery being confirmed by researchers from Qihoo 360 Netlab, Rapid7, and Greynoise. The botnet in question has compromised more than 18,000 routers in a single day, and has been built by leveraging a security flaw in Huawei HG532 routers known as CVE-2017-17215.
Botnet Built Only in a Day by Anarchy Hacker
CVE-2017-17215’s official description goes like this: “Huawei HG532 with some customized versions has a remote code execution vulnerability. An authenticated attacker could send malicious packets to port 37215 to launch attacks. Successful exploit could lead to the remote execution of arbitrary code”.
According to analysis, the scans for the flaw began on July 18, in the morning, via port 37215.
The author of the botnet has called himself Anarchy and hasn’t provided any information as to why he created the botnet. According to security researchers, Anarchy may be the same hacker who was using the Wicked nickname and who is behind some of Mirai’s variations. The variations have been identified as Wicked, Omni, and Owari and were actively used in DDoS attacks.
What is mostly concerning about the newly discovered botnet is the ease it was built with, using a high-profile security flaw that has been used before for similar reasons. Research indicates that CVE-2017-17215 has been deployed in the creation of at least two versions of the Satori botnet as well as some Mirai-based small botnets. Let’s take the Satori botnet which is a botnet that exploits a flaw in Huawei and a bug in Realtek SDK-based devices.
These vulnerabilities have been exploited to attack and infect computers. The botnet itself was written on top of the devastating Mirai IoT botnet. Satori’s operators exploited just these two vulnerabilities to successfully target hundreds of devices, researchers reported earlier this year.
The most alarming part of this story is that the Anarchy hacker built the botnet in the span of a single day. Apparently the hacker is not ready to stop yet and is planning to target another security flaw, CVE-2014-8361, which is a vulnerability in Realtek routers that can be exploited via port 52869.
Here’s the vulnerability’s official description: “The miniigd SOAP service in Realtek SDK allows remote attackers to execute arbitrary code via a crafted NewInternalClient request”.