In late November 2017, Check Point analysts discovered Satori, a malware family developed from the source code of Mirai, engaging in bot activity, flooding targets with manually crafted UDP or TCP packets. Satori exploits two vulnerabilities, CVE-2014-8361 and CVE-2017-17215. The first is an older remote code execution vulnerability that resides in the miniigd daemon of the Realtek SDK Universal Plug and Play (UPnP) SOAP interface and the second is a remote code execution vulnerability in the Huawei HG532e home router. Check Point disclosed the router vulnerability and Huawei subsequently issued a security notice with instructions on how to mitigate the threat.
In early December, 360 Netlab observed the newest version of the Satori variant propagating quickly via ports 37215 and 52869 and noted that this bot has a worm-like functionality and performs scanning activity itself rather than relying upon a separate loader or scanner to infect devices. Examination of the source code indicates that it is also capable of brute-forcing Telnet over port 23 and 2223 and disabling the watchdog timer, a hardware timer used to detect and recover from system malfunctions.
The NJCCIC recommends users and administrators of vulnerable Huawei routers review Huawei’s updated Security Notice, configure their routers’ built-in firewall or deploy a firewall at the carrier side, and change the default password. We recommend users and administrators of routers affected by the Realtek SDK flaw consult the corresponding manufacturer's website and apply any available patches as soon as possible.
Reporting and Technical Details:
- December 2017: Huawei Home Routers in Botnet Recruitment (Check Point)
- December 2017: Warning: Satori, a Mirai Branch Is Spreading in Worm Style on Port 37215 and 52869 (360 Netlab)
- December 2017: Security Notice - Statement on Remote Code Execution Vulnerability in Huawei HG532 Product (Huawei)
- January 2018: IoT Malware Evolves to Harvest Bots by Exploiting a Zero-day Home Router Vulnerability (Palo Alto Networks)
- January 2018: Satori Botnet Is Now Attacking Ethereum Mining Rigs (Bleeping Computer)
- January 2018: The ARC of Satori (Arbor Networks)
- May 2018: The Satori Botnet Is Mass-Scanning for Exposed Ethereum Mining Rigs (Bleeping Computer)
- June 2018: All That Port 8000 Traffic This Week! Yeah, That's Satori Looking for New Bots (Bleeping Computer)