Building a botnet is no longer a big, time-consuming task, and can be done within 24 hours. At least, that’s what a hacker, who goes by the pseudonym Anarchy, claims. This hacker in question has created a botnet that has compromised over 18,000 Huawei routers within 24 hours.
Anarchy Botnet
The cyber attacker built the botnet by using an old vulnerability that was spotted by researchers from NewSky Security last Christmas. Following the outbreak of the news, other security firms including Rapid7 and Qihoo 360 Netlab has also confirmed the existence of the new threat. The firms saw a huge recent uptick in Huawei device scanning, which was to scans seeking devices vulnerable to CVE-2017-17215. It is a critical security flaw in Huawei HG532 devices which can be exploited through port 37215.
The motives of Anarchy are not yet clear. However, he has reached out to NewSky Security researcher Ankit Anubhav saying he wants “to make the biggest baddest botnet in town”. He’s probably talking of a distributed denial-of-service (DDoS) attack here. The hacker also revealed an IP list of victims to Anubhav, which has not been made public for obvious reasons.
What’s surprising here is that the CVE-2017–17215 vulnerability has been previously weaponized in two distinct IoT botnet attacks, namely Satori and Brickerbot. The working exploit code to compromise Huawei routers using this flaw was released to the public in January this year. “It’s painfully hilarious how attackers can construct big bot armies with known vulns,” Anubhav added.
Anubhav suspects that Anarchy may actually be the well-known threat actor Wicked, who has been linked with the creation of the Owari/Sora botnets before.
Botnets can be used to perform a DDoS attack to send malicious packets of data to a device and remotely execute code. The LizardStresser botnet, for example, was able to launch 400Gbps attacks on vulnerable IoT devices.
The story, however, may not be over. Anarchy/Wicked intends to enslave more devices by starting a scan for Realtek router vulnerability CVE-2014-8361.