Satori botnet: Hacker 'Nexus Zeta' found exploiting a Huawei zero-day flaw to spread Mirai variant
The unknown vulnerability affecting home routers was quickly patched by Huawei.
A hacker going by the pseudonym Nexus Zeta was found exploiting a zero-day vulnerability in a Huawei home router model, to spread a variant of the notorious Mirai botnet called Satori. Security experts said that they detected a barrage of attacks exploiting the zero-day flaw, with the U.S., Italy, Germany and Egypt being hit the hardest.
Earlier this month, Satori, which is considered to be an updated variant of the infamous IoT (internet of things) botnet Mirai, was found infecting over 280,000 IP addresses in just 12 hours. Since Mirai's creators first publicly released the malware's source code, numerous hackers have tweaked its code to launch internet-crippling DDoS attacks.
Security researchers at Check Point said that they observed hundreds of thousands of attempts to exploit the vulnerability in November. Fortunately, the unknown vulnerability was quickly patched by Hauwei, who issued a security update to customers, warning them of the bug.
Although the researchers first speculated the attackers leveraging the Hauwei zero-day were a sophisticated cyber gang or an experience state-sponsored hacker group, they were later surprised to discover that one lone hacker was behind the attacks.
"We arrived at our main suspect; a threat actor under the nickname 'Nexus Zeta', who was found thanks to the email address used to register a C&C domain belonging to the botnet – nexusiotsolutions[.]net," Check Point researchers said in a blog.
Researchers found that Nexus Zeta has been a HackForums member since 2015, although he is not a very active member of the forum. Researchers also found that the hacker is somewhat active on Twitter and GitHub, both of which "serve his IoT botnet projects". They also uncovered a Skype and SoundCloud account linked to the hacker which were registered under the name of Caleb Wilson. However, researchers were unable to determine whether this was, in fact, Nexus Zeta's real name.
At the same time that the zero-day attacks were being perpetrated, the hacker wrote a peculiar post on HackForums that read: "hello, im looking for someone to help me compile the mirai botnet, i heard all you have to do is compile it and you have access to 1 terabit per second so please help me setup a mirai tel-net botnet".
"According to our investigation, Nexus Zeta does not seem to be as much of an advanced actor as we initially suspected but rather an amateur with lots of motivation, looking for the crowd's wisdom. It is worth mentioning however that unfortunately we cannot determine how the Zero-Day found its way to his possession," Check Point researchers said. "Nonetheless, as seen in this case as well as others over the past year, it is clear that a combination of leaked malware code together with exploitable and poor IoT security, when used by unskilled hackers, can lead to disastrous results."
