Security researchers are urging businesses to ensure they are prepared for large-scale DDoS attacks following the online publication of code to exploit a vulnerability in Huawei HG532 routers.
When an exploit becomes freely available, threat actors are quick to implement it to carry out their own distributed denial of service (DDoS) attacks by hijacking internet of things (IoT) devices into botnets.
Similar warnings were issued after the publication of the Mirai malware code in October 2016 that attackers went on to use to devastating effect.
DDoS attacks are often downplayed or overlooked by organisations, but security experts have repeatedly warned that any online business or application is vulnerable to DDoS, and DDoS mitigation should be part of any such company’s cyber security or business continuity plan.
“With the advent of botnet-based DDoS attack services that will be effective against most companies, anyone can target an organisation for just a few bitcoins,” Harshil Parikh, director of security at software-as-a-service platform firm Medallia, told the IsacaCSX Europe 2017 conference in London in November 2017.
The exploit code for Huawei vulnerability CVE-2017–17215, which is now available free of charge on text storage site Pastebin, has already been used in the Satori and Brickerbot IoT botnets.
These botnets have been described as next-gen Mirai botnets, and in December 2017, the Satori botnet in particular caught researchers’ attention because of its worm-like ability to propagate quickly.
According to security researchers at Qihoo 360 Netlab, the Satori botnet propagates by using two exploits to connect with devices on ports 37215 and 52869.
Satori was also notable for its ability to exploit remote code execution vulnerabilities without relying on default passwords for access like Mirai.
In December 2017, the Satori malware was reportedly able to infected more than 280,000 IP addresses in just 12 hours, to hijack thousands of routers by exploiting the CVE-2017–17215 vulnerability.
The vulnerable home and small business routers can be protected by following the guidelines in a Huawei security notice, but the threat will be eliminated only if every device owner takes the necessary action.
When the vulnerability was discovered by security firm Checkpoint in its investigation of Satori attacks, it was reported to Huawei and the proof of concept code was not made public.
NewSky Security has not published the Pastebin link to the exploit code also to prevent it from being misused by threat actors.
However, with the release of the full code, researchers at NewSky Security expect its usage “in more cases by script kiddies and copy-paste botnet masters,” principal researcher Ankit Anubhav wrote in a blog post.
He said NewSky Security had found the same exploit when analysing the Brickerbot source code in December 2017. “While analysing this code, we also uncovered the usage of CVE-2017–17215, implying this code has been in blackhats’ hands for a while.”
Commenting on the Satori botnet in December 2017, Rodney Joffe, senior vice-president and fellow at information services firm Neustar, said that as the number of devices connected to the internet continues to rapidly expand, so do the mass of vulnerabilities associated with the IoT.
“The sheer volume and complexity of these devices has opened a large window for targeted attacks, compromising the security and safety of household items, such as home routers,” he said.
Joffe believes that to mitigate these botnets, there needs to be a greater understanding of how to safeguard the realm of the IoT and everything it encompasses.
“While consumers are busying themselves with a brand new wealth of connected devices, making their homes – and lives – more convenient, it’s up to the manufacturers of these products to prioritise security,” he said.