Q
Problem solve Get help with specific problems with your technologies, process and projects.
This article is part of our Essential Guide: How the Mirai botnet changed IoT security and DDoS defense

What can enterprises do to prevent an IoT botnet attack?

An IoT botnet attack on Huawei home routers showed similarities to the Mirai malware. Expert Judith Myerson explains the threat and how enterprises can protect themselves.

Check Point researchers found that Huawei Technologies Co. Ltd. home routers contained a vulnerability that was...

being exploited by a variant of the Mirai malware. How does the malware take control of these routers to perform an internet of things botnet attack, and what mitigation steps are available?

A hacker modified the Mirai malware source code that was publicly available on Hack Forums.

The modification was used to exploit a then-unknown vulnerability in Huawei routers and to enable hackers to send malicious packets to TCP port 37215. The hackers could then inject shell meta-characters into the DeviceUpgrade process to permit the attacker to execute commands instructing the bot to flood targets with manually crafted malicious TCP or UDP packets. These packets are transmitted from a botnet's command-and-control server.

After several frustrating attempts, Check Point researchers zeroed in on the hacker who performed the initial IoT botnet attack -- someone known as Nexus Zeta. The email address the hacker used to register a command-and-control domain belonging to the botnet was also used to connect with the hacker's forum. The few posts the hacker made on the forum indicated "an initiative to establish a Mirai-like IoT botnet," according to the Check Point researchers.

The researchers demonstrated the IoT botnet attack by exploiting the TR-064 implementation vulnerability in Huawei router model HG532. TR-064 is a broadband protocol for remote configuration and administration of internet-connected routers and other embedded devices. This vulnerability exposed the router to WAN through port 37215.

The router was exposed to the botnet on that port using the Universal Plug and Play (UPnP) protocol and the TR-064 standard, which enables embedded UPnP devices to be added to a local network. UPnP's support for the DeviceUpgrade command makes it possible to deploy firmware upgrades. The researchers observed that the exploit returned the default HUAWEIUPNP message before the upgrade was initiated.

According to Huawei, mitigation steps to defend against this IoT botnet attack include configuring the router's built-in firewall, changing the default password or using a firewall on the carrier side. All firewall configurations on the client side should be backed up.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

This was last published in February 2018

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What lessons has your organization learned from the Mirai malware and all of its variants?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close