Hacker Ensnares 18,000 Huawei Devices Into Massive Botnet In Just 24 Hours
Hauwei is far and away best known for its smartphones and, to some extent, it's line of laptops like the Matebook X Pro. However, it also manufacturers routers and gateways, and one of its older models, the HG532, contains a vulnerability that a malware author exploited to create a fairly large botnet. What's particularly frightening about this is that it only took the malware author a single day to wreak havoc.
The new botnet currently spans over 18,000 routers, and is presumably growing. It was initially spotted by security researchers from NewSky Security and later confirmed by several other outfits.
Just in : IoT hacker identifying himself as "Anarchy" has claimed to hack about 18000+ Huawei routers.The vulnerability is 2017-17215, leaked last Christmas & used in satori
— Ankit Anubhav (@ankit_anubhav) July 18, 2018
He also takes responsibility for massive uptick in Huawei scanning now as seen in @360Netlab scanmon. 1/n pic.twitter.com/qOATps9Dmv
According to the findings, the vulnerability can be exploited through port 37215. To be clear, this is not a zero-day exploit that is at play. Instead, the malware author took advantage of a high-profile vulnerability that several other botnets has previously exploited. It's a remote code execution vulnerability that's been documented as CVE-2017-17215, and for which Huawei released a security notice in November of last year.
"An authenticated attacker could send malicious packets to port 37215 to launch attacks. Successful exploit could lead to the remote execution of arbitrary code," Huawei said at the time.
It's not clear why the vulnerability still exists after all this time, only that an attacker who goes by the name "Wicked" is actively exploiting it. The malware author bragged about this misdeed with NewSky Security, saying he was motivated by money.
"Money plays a big part in it, but it's also fun to write these types of things. The monetary gain from this does come from web stressers that may rent our botnet out for a period," Wicked said.
Wicked also said that he has begun testing a vulnerability in Realtek routers using port 52869. If successful, we could be looking at an even bigger botnet that what he has already been able to assemble in a short period of time.