The working code for a Mirai variant targeting a Huawei internet of things (IoT) vulnerability has been made available for free on Pastebin.
According to NewSky Security, the exploit, which attacks aspects of the SOAP protocol, has already been weaponized in two distinct IoT botnet attacks, namely Satori and Brickerbot.
“CVE-2017–17215, a vulnerability in Huawei HG532 devices, was discovered during a zero-day Satori attack by Check Point and was discreetly reported to Huawei for a fix,” explained the firm, in a blog. “The proof of concept code was not made public to prevent attackers from abusing it. However, with the release of the full code now by the threat actor, we expect its usage in more cases by script kiddies and copy-paste botnet masters.”
When analyzing snippets of the Brickerbot source code earlier in the month, the firm found usage of the same exploit, implying that the code has been available for a while.
“This is not the first time that IoT botnets are making use of issues related to the SOAP protocol,” said NewSky. “Earlier this year, we have observed several Mirai offshoots using two other SOAP bugs (CVE-2014–8361 and TR-64) which are code injections in and respectively."
When an IoT exploit becomes freely available, it's only a matter of time until bad actors will implement the exploit as one of the attack vectors in their botnet code. For instance, prior to the Huawei bug, NewSky observed the leakage of NetGear router exploit (aka NbotLoader), which led to that code being integrated into the well-known botnet, Qbot.
To protect the devices against CVE-2017–17215, Huawei has released a security patch.
Julian Palmer, vice president of engineering for Corero, said via email that this release into the wild of the code adds to the inventory of potential DDoS attack nodes, a concerning trend.
"This vulnerability simply adds fuel to the fire of botnet recruitment activity that could be poised to take aim at any victim, at any time," he said. "It seems the exploit method would allow injection of commands within a firmware update command, and could result in malicious code being installed on the router without later detection. The vulnerability still requires authenticated access, so the router must still be hacked first by gaining access. The old problem of default passwords is the most likely the problem in this scenario. Therefore, that makes this new vulnerability not so different to Mirai, which brute-forced those logins when left at defaults."
In terms of force, the CPUs in the routers are larger than the exploited cameras used in Mirai, but are not going to be vastly stronger, he added. "However, it doesn’t make much difference," he noted. "It doesn’t take a lot of CPU to launch these types of attacks.”