Skip to main content

Satori:Sudden Awakening With Over 280,000 Active Bots - Exploits Zero-Day to Zombify Huawei Routers



Security researchers are raising the alarm in regards to a new botnet named Satori that has been seen active on over 280,000 different IPs in the past 12 hours.

Satori — the Japanese word for "awakening"— is not new, but a variant of the more infamous Mirai IoT DDoS malware.

Li Fengpei, a security researcher with Qihoo 360 Netlab, says the Satori variant came to life out of the blue today and started scans on ports 37215 and 52869.

Satori variant differs from previous Mirai versions

According to a report, Li shared with Bleeping Computer today, the Mirai Satori variant is quite different from all previous pure Mirai variants.

Previous Mirai versions infected IoT devices and then downloaded a Telnet scanner component that attempted to find other victims and infect them with the Mirai bot.

The Satori variant does not use a scanner but uses two embedded exploits that will try to connect to remote devices on ports 37215 and 52869.

Effectively, this makes Satori an IoT worm, being able to spread by itself without the need for separate components.

Growth fueled by mysterious Huawei exploit (zero-day?)

Li says that telemetry gathered by Netlab's infrastructure has observed 263,250 different IPs scanning port 37215, and 19,403 IPs scanning port 52869 in the last 12 hours. That's over 280,000 bots in the last half of day.

A botnet reaching this huge size is of note. Satori's success is in large part due to the exploit it delivers on port 37215. According to Li's description, this appears to be zero-day.

"The one on port 37215 is not fully disclosed yet, our team has been tracking this in the last few days and got quite some insight, but we will not discuss it," Li said.

Dale Drew, chief security strategist at broadband Internet provider CenturyLink, told ArsTechnica in an interview published earlier today that he believes this botnet abuses a zero-day in Huawei Home Gateway routers, a remote code execution bug noticed by Check Point at the end of November, about which very few details are available.

A security researcher shared details with Bleeping Computer about the possible exploit, and a Shodan search for affected devices yields over 225,000 devices that are currently available online.

As for the other exploit, on port 52869, this is for a known and old vulnerability in Realtek devices (CVE-2014-8361), one that was most likely patched in some devices, hence the reason why scans for this exploit are less successful.

Satori has connections to a previous Mirai botnet

Li also points out that there are clues to link the botnet created with the Mirai Satori variant with another Mirai-based botnet Netlab has seen last month, and which reached around 100,000 bots, most located in Argentina.

It is unclear if the same person runs both botnets, but Li says the current Mirai Satori variant and the previous Mirai-based variation shared file names and static features, and some of the C2 protocols.

A security researcher told Bleeping Computer today that they too believe the two botnets to be related, with Satori evolving from last month Mirai variant.

Right now, security researchers are still gathering information on this new threat, but public honeypot data confirms Netlab's report.
Labels:

Comments

Post a Comment

Popular posts from this blog

My Life as Information security engineer Chapter 1: Tools

  Hi folks, here I am going to share the tools list that I am using in my daily life cycle. NMAP  Nmap (“Network Mapper”) is a free and open-source (license) utility for network discovery and security auditing. Basically, I will use it to discover the open ports and closed ports where I did Port Mapping in firewalls. We can use this in the local network as well as in the WAN network. Also with help of the NSE script, we do multiple things like vulnerability check, exploitation, etc., Ref: http://www.piratesshield.com/2017/11/nmap-network-mapper-securtiy-scanner.html CURL and WGET curl   is a tool to transfer data from or to a server, using one of the supported protocols (HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, DICT, TELNET, LDAP or FILE). Normally using this tool to analyze the website headers when my web security device blocking some dynamic content websites and to create the Application signature in IPS. Wget   using to download files directly instead of opening and surfing the brow
Post a Comment
Read more

AquaSec Container Security Solution ( DevSecOps ) - A quickView

  What is AquaSec?      The Aqua Platform is the leading Cloud Native Application Protection Platform (CNAPP) and provides prevention, detection, and response automation across the entire application lifecycle to secure the supply chain, secure cloud infrastructure, and secure running workloads wherever they are deployed.    Solutions : Cloud Native Security Platform CSPM Cloud Security Container Security Kubernetes Security Serverless Security Cloud VM Security Dynamic Threat Analysis (DTA) Container Vulnerability Scanning Aquasec offers a 14days trial to learn the container security / Automated DevSecOps. Use this link to get free trail  Sign In | Aqua (aquasec.com)   How to start with AquaSec? Once login into the portal click the nine dots in the left-side top > Aqua Hub  Then click the "Integrations" The Integration page has a lot of options to connect your container Platform Choosing your platform provides the required key to integrate. (follow the OEM documents ) The
Post a Comment
Read more

What is IP Obfuscation ? How it's working ? how to use Cuteit tool ?

  What is IP  Obfuscation?     Which is a method to hide or convert a doted format IP address  (e.g. 192.168.192.2)   into an Integer or Hexadecimal value or Octal form by using some mathematical formula. It’s a kind of method to spoof the human eyes and web security services. dot format to Decimal Conversion   piratesshield.com 👉  [172.67.129.3] to translate (172 x256 3 )+(67×256 2 )+(129×256 1 )+(3×256 0 ) =  2890105091 Now you can use  https://2890105091  to access piratesshield.com This is one of the ways to do IP  Obfuscation.  The tool  ‘ Cuteit ‘ is  A simple python tool to help you to social engineer, bypass whitelisting firewalls, potentially break regex rules for command-line logging looking for IP addresses and obfuscate cleartext strings to C2 locations within the payload. HOW TO USE CUTEIT ? Download & Install Cuteit from the below link git :   git clone https://github.com/D4Vinci/Cuteit.git Direct link: https://github.com/D4Vinci/Cuteit/archive/master.zip usage: Cu
Post a Comment
Read more