Fresh botnet recruiting routers with weak credentials
Security researchers believe the author of the Satori botnet is at it again, this time attacking routers to craft a botnet dubbed “Masuta”.
The early-January Satori botnet attacked a Huawei router zero-day. Masuta also hits routers.
According to NewSky’s analysis, the attack comes in two flavours. There’s Masuta, which takes the standard IoT approach of tapping devices for default credentials (hidden by a single XOR by 0x22, inspired by Mirai); and there’s the more sophisticated “PureMasuta” which exploits an old network administration bug.
That bug was spotted back in 2015, when Craig Heffner identified a bug in D-Link’s Home Network Administration Protocol. That’s what Pure Masuta tries to exploit.
NewSky wrote:
It is possible to craft a SOAP query which can bypass authentication by using hxxp://purenetworks.com/HNAP1/GetDeviceSettings. Also, it is feasible to run system commands (leading to arbitrary code execution) because of improper string handling. When both issues are combined, one can form a SOAP request which first bypasses authentication, and then causes arbitrary code execution.
Since the bug lets routers run anything after GetDeviceSettings, what PureMasuta’s bot-herders do is run a wget to fetch and run a shell script, recruiting the device into its botnet.
If you have a vulnerable device – D-Link’s AC300, for example – make sure you’ve got firmware newer than 2015.
NewSky’s attribution of the botnet, to an entity they dub “Nexus Zeta”, comes from the CC URL nexusiotsolutions(dot)net, since this was the same URL as the Satori botnet used. ®
Sponsored:
Minds Mastering Machines – Call for papers now open
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/24/fresh_botnet_recruiting_routers_with_weak_credentials/