Discovered in 2018 by Radware researchers, JenX is a botnet that leverages two vulnerabilities, CVE-2014-8361 and CVE-2017-17215, to locate and infect new devices. CVE-2014-8361 is an older remote code execution vulnerability that resides in the miniigd daemon of the Realtek SDK Universal Plug and Play (UPnP) SOAP interface and CVE-2017-17215 is a remote code execution vulnerability in the Huawei HG532e home router. JenX exploits the same vulnerabilities as the Satori botnet and uses similar infection techniques as PureMasuta. The botnet's C2 server is hosted on a site that provides multiplayer mod support for the video game Grand Theft Auto:San Andreas and advertises the ability to perform distributed denial-of-service (DDoS) attacks at a starting price of $20. The JenX botnet creator advertises the ability to perform the query floods, attacks against NFO gaming servers, attacks against OVH, and attacks against TeamSpeak3 (TS3), an app used for voice and text chat. JenX also boasts the ability to perform DDoS attacks that reach over 1 terabyte per second (Tbps).

The NJCCIC recommends users and administrators of vulnerable Huawei routers review Huawei’s updated Security Notice, configure their routers’ built-in firewall or deploy a firewall at the carrier side, and change the default password. We recommend users and administrators of routers affected by the Realtek SDK flaw consult the corresponding manufacturer's website and apply any available patches as soon as possible.

Reporting and Technical Details:

Image Source: NJCCIC Analyst Screen Capture of JenX Website

BotnetsNJCCICJenX, Satori, Huawei, Realtek