Check Point researchers found that Huawei Technologies Co. Ltd. home routers contained a vulnerability that was...
being exploited by a variant of the Mirai malware. How does the malware take control of these routers to perform an internet of things botnet attack, and what mitigation steps are available?
A hacker modified the Mirai malware source code that was publicly available on Hack Forums.
The modification was used to exploit a then-unknown vulnerability in Huawei routers and to enable hackers to send malicious packets to TCP port 37215. The hackers could then inject shell meta-characters into the DeviceUpgrade process to permit the attacker to execute commands instructing the bot to flood targets with manually crafted malicious TCP or UDP packets. These packets are transmitted from a botnet's command-and-control server.
After several frustrating attempts, Check Point researchers zeroed in on the hacker who performed the initial IoT botnet attack -- someone known as Nexus Zeta. The email address the hacker used to register a command-and-control domain belonging to the botnet was also used to connect with the hacker's forum. The few posts the hacker made on the forum indicated "an initiative to establish a Mirai-like IoT botnet," according to the Check Point researchers.
The researchers demonstrated the IoT botnet attack by exploiting the TR-064 implementation vulnerability in Huawei router model HG532. TR-064 is a broadband protocol for remote configuration and administration of internet-connected routers and other embedded devices. This vulnerability exposed the router to WAN through port 37215.
The router was exposed to the botnet on that port using the Universal Plug and Play (UPnP) protocol and the TR-064 standard, which enables embedded UPnP devices to be added to a local network. UPnP's support for the DeviceUpgrade command makes it possible to deploy firmware upgrades. The researchers observed that the exploit returned the default HUAWEIUPNP message before the upgrade was initiated.
According to Huawei, mitigation steps to defend against this IoT botnet attack include configuring the router's built-in firewall, changing the default password or using a firewall on the carrier side. All firewall configurations on the client side should be backed up.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Related Q&A from Judith Myerson
GE reported an improper authentication flaw in its PulseNet network management software for critical infrastructures. Discover how this flaw works ... Continue Reading
Researchers claim to have found a new attack against VMs that affects SEV technology. Expert Judith Myerson explains what this attack is and how it ... Continue Reading
The Wi-Fi Alliance released the updated WPA3 protocol, adding security enhancements to the Wi-Fi access process. Learn why enterprises should update ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.