Anarchy botmaster builds a botnet of 18,000 Huawei routers in a few hours

Anarchy botmaster builds a botnet of 18,000 Huawei routers in a few hours
22.7.2018 securityaffairs BotNet

The popular Anarchy botmaster builds a botnet of 18,000 Huawei routers in a few hours, and it is also planning to target vulnerable Realtek routers.
NewSky Security first reported the born a new huge botnet, in just one day the botmaster compromised more than 18,000 Huawei routers.

NewSky security researcher Ankit Anubhav announced that the botnet had already infected 18,000 routers. The disconcerting aspect of the story is that the hacker gathered a so huge number of devices in a limited period of time, without using any zero-day issue.

The same botnet was today reported by experts from other security firms, including Qihoo 360 Netlab, Greynoise, and Rapid7.

360 Netlab
@360Netlab
We were tracking this botnet yesterday, the claimed 18000+ huawai router number is probably inflated, as we were able to take a peek at the file which highly likely stored the infected ips, the total count was 10901. and attached is the graphic of the C2 for this botnet, big one.

Ankit Anubhav
@ankit_anubhav
Just in : IoT hacker identifying himself as "Anarchy" has claimed to hack about 18000+ Huawei routers.The vulnerability is 2017-17215, leaked last Christmas & used in satori

He also takes responsibility for massive uptick in Huawei scanning now as seen in @360Netlab scanmon. 1/n

View image on Twitter
3:43 AM - Jul 19, 2018
39
38 people are talking about this
Twitter Ads info and privacy
The botmaster has infected systems by exploiting the CVE-2017-17215 vulnerability in Huawei HG532 routers. Experts noticed that the attackers started scanning for the flaw, that could be triggered via port 37215, on July 18.
Anarchy botnet
The botmaster is a hacker that goes online with the moniker “Anarchy,” according to Anubhav he was previously identified as Wicked and was involved in the born of the homonymous Mirai variant.

The Wicked Mirai botnet was first spotted by researchers at Fortinet, and Anubhav published on the NewSky’s blog and interview with the hacker.

Wicked/Anarchy is believed to be the threat actor behind other Mirai variants, including, Omni, and Owari (Sora).

As explained at the beginning of this post, Anarchy did not use any specific exploit to gather tens of thousands of devices in a few hours. The CVE-2017-17215 is a well-known vulnerability that was used by many other botnets, including the Mirai Satori, to gather zombies.

The CVE-2017-17215 zero-day vulnerability in the Huawei home router residing in the fact that the TR-064 technical report standard, which was designed for local network configuration, was exposed to WAN through port 37215 (UPnP – Universal Plug and Play).

The exploit code used to target the Huawei routers is publicly available, in December Ankit Anubhav discovered it on Pastebin.com..

“NewSky Security observed that a known threat actor released working code for Huawei vulnerability CVE-2017–17215 free of charge on Pastebin this Christmas. This exploit has already been weaponized in two distinct IoT botnet attacks, namely Satori and Brickerbot.” stated a blog post published by Anubhav.

At the time, the exploit code for the CVE- 2017-17215 was used by a hacker identified as “Nexus Zeta” to spread the Satori bot (aka Okiku).

The availability of the code online represents a serious risk, it could become a commodity in the criminal underground, vxers could use it to build their botnet.

Satori isn’t the only botnet leveraging the CVE-2017-17215 exploit code, earlier in December, the author of the Brickerbot botnet that goes online with the moniker “Janitor” released a dump which contained snippets of Brickerbot source code.

NewSky Security analyzed the code and discovered the usage of the exploit code CVE-2017–17215, this means that the code was available in the underground for a long.

According to Bleeping Computer, Anarchy told Anubhav that he also plans to target the CVE-2014-8361 flaw in Realtek routers that is exploitable via port 52869.

“Testing has already started for the Realtek exploit during the night,” Anubhav told Bleeping Computer in a private conversation today. [Update: Both Rapid7 and Greynoise are confirming that scans for Realtek have gone through the roof today.]

Below the md5 and the C&C associated with the threat:

Ankit Anubhav
@ankit_anubhav
· 18 Jul
Just in : IoT hacker identifying himself as "Anarchy" has claimed to hack about 18000+ Huawei routers.The vulnerability is 2017-17215, leaked last Christmas & used in satori

He also takes responsibility for massive uptick in Huawei scanning now as seen in @360Netlab scanmon. 1/n pic.twitter.com/qOATps9Dmv

Ankit Anubhav
@ankit_anubhav
The attacker Anarchy has shared a list of infected victim IPs which at that point, I am not making public for obvious reasons. The bin in his botnet md5 >
c3cf80d13a04996b68d7d20eaf1baea8

As one can see, it uses only 1 exploit, 2017-17215. 2/n pic.twitter.com/F5BNNbf3bM

8:27 PM - Jul 18, 2018
View image on Twitter
9
See Ankit Anubhav's other Tweets
Twitter Ads info and privacy

SMII Mondher
@smii_mondher
Ketashi botnet
hxxp://104.244.72.82
hxxp://104.244.72.82/sister
hxxp://104.244.72.82/k
http://104.244.72.82/gpon#ketashi @360Netlab @ankit_anubhav @campuscodi

4:17 PM - Jul 19, 2018
3
See SMII Mondher's other Tweets