Check Point researchers found that Huawei Technologies Co. Ltd. home routers contained a vulnerability that was being exploited by a variant of the Mirai malware. How does the malware take control of these routers to perform an internet of things botnet attack, and what mitigation steps are available?
A hacker modified the Mirai malware source code that was publicly available on Hack Forums.
The modification was used to exploit a then-unknown vulnerability in Huawei routers and to enable hackers to send malicious packets to TCP port 37215. The hackers could then inject shell meta-characters into the DeviceUpgrade process to permit the attacker to execute commands instructing the bot to flood targets with manually crafted malicious TCP or UDP packets. These packets are transmitted from a botnet's command-and-control server.
After several frustrating attempts, Check Point researchers zeroed in on the hacker who performed the initial IoT botnet attack -- someone known as Nexus Zeta. The email address the hacker used to register a command-and-control domain belonging to the botnet was also used to connect with the hacker's forum. The few posts the hacker made on the forum indicated "an initiative to establish a Mirai-like IoT botnet," according to the Check Point researchers.
The researchers demonstrated the IoT botnet attack by exploiting the TR-064 implementation vulnerability in Huawei router model HG532. TR-064 is a broadband protocol for remote configuration and administration of internet-connected routers and other embedded devices. This vulnerability exposed the router to WAN through port 37215.
The router was exposed to the botnet on that port using the Universal Plug and Play (UPnP) protocol and the TR-064 standard, which enables embedded UPnP devices to be added to a local network. UPnP's support for the DeviceUpgrade command makes it possible to deploy firmware upgrades. The researchers observed that the exploit returned the default HUAWEIUPNP message before the upgrade was initiated.
According to Huawei, mitigation steps to defend against this IoT botnet attack include configuring the router's built-in firewall, changing the default password or using a firewall on the carrier side. All firewall configurations on the client side should be backed up.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)