Huge Botnet - Comprising More Than 18,000 Huawei Routers – was Created by Anarc

A huge botnet, comprising more than 18,000 routers, was created by a malware author in one single day. Security researchers of NewSky Security were the first one to spot this new botnet. Greynoise, Rapid7, and Qihoo 360 Netlab have also confirmed these findings of NewSky Security.

CVE-2017-17215 of Huawei HG532 routers were exploited by the botmaster. As per data collected by the system of Netlab's NetScan, scanning of this vulnerability started on 18 July 2018, which could be exploited through port 37215. Ankit Anubhav, Security Researcher of NewSky, said that the botnet created by botmaster already had gathered more than 18000 routers by the end of the day.

The botmaster functions online with a pseudonym "Anarchy". As per Anubhav, Anarchy - the hacker, was previously known as "Wicked", and at that time has created Mirai IoT malware variants. Wicked/Anarchy is also believed to be responsible for the other variants of Mirai, which includes Owari (Sora) and Omni. These variants were used earlier for performing DDoS attacks.

As per the researchers of Bleeping Computer, more than scrutinizing on what the botnet master has done or is doing, the bigger challenge to address is how such a huge botnet was created and that too in such an easy and effective manner. Surprisingly, the method used to create the huge botnet was neither zero-day nor any other unexploited vulnerability. Rather, the botnet was created with the same high-profile vulnerability, which has already been exploited by many other botnets earlier. Two versions of Satori botnet as well as several smaller Mirai-based offshoots have abused the famous exploit of CVE-2017-17215.

Corero Network Security's Product Management Director, Sean Newman, said that the major issue with the IoT security is - despite of several notifications regarding release of new updates by the vendors, the device owners are yet to upgrade the flaws.

Newman added that users cannot be forced by vendors to upgrade the flaws. He further added that "whilst this behavior continues, there remains no end in sight for IoT devices being acquired for various nefarious activities including use in botnets for launching DDoS and other large-scale criminal campaigns."

» SPAMfighter News - 8/2/2018