Huawei Router Exploit Code Used in IoT Botnet Made Public

According to researchers at NewSky Security, the code from the Satori IoT botnet was publically released by a known threat actor over Christmas. The code, which exploits a vulnerability in Huawei routers, has been used in both the Satori and Brickerbot botnets, the company said in a blog post. The vulnerability, which was shut down by ISPs last month, was discovered by security firm Check Point in November. They promptly reported the issue to Huawei.

“An authenticated attacker could send malicious packets to port 37215 to launch attacks. A successful exploit could lead to the remote execution of arbitrary code,” Huawei said.

Blocking Botnet Attacks

Check Point reported that the root cause of the flaw is linked to Huawei’s implementation of the “Universal Plug and Play” protocol via the TR-064 technical report standard. Huawei implementation allowed remote attackers to inject arbitrary commands, which hackers used to build the Satori botnet, said NewSky in their blog post.

See also: Hackers behind Mirai botnet plead guilty

Maya Horowitz, Threat Intelligence Group Manager at Check Point, said “[Users should] change the default password on their router,” and recommends that end users running Huawei routers behind a firewall or Intrusion Prevention System should configure those devices to block the exploit’s traffic.”

To protect the devices against CVE-2017–17215, Huawei has released a security notice which can be accessed here. In it, they address the vulnerability and advise users on how to protect themselves. Some of the advice is common sense, such as changing the default username and password, something that should always be done when setting up a new internet connected device of any kind. The company said their investigation into the matter is not yet completed but promised to continue providing updates as quickly as possible.