Mirai botnet creator Anna Senpai unmasked DDoS protection service provider gone rogue
Nefarious actors have posted the working code behind the Satori botnet for free online iStock

Hackers have publicly posted the working code that exploits a zero-day vulnerability in a Huawei router model for free on Pastebin, security researchers have discovered. According to NewSky Security, the malware targets CVE-2017–17215, which is a vulnerability in Huawei HG532 devices, and has already been weaponised in two botnet attacks, including Satori and Brickerbot.

Satori, which means "awakening" in Japanese, is an updated variant of the infamous Mirai botnet and was used to hijack thousands of IoT devices and more than 280,000 different IP addresses last year. Meanwhile, the Brickerbot malware that was discovered in April 2017 has been used in Permanent Denial of Service (PDoS) attacks to destroy IoT devices.

Researchers have warned that the public release of the code will soon see other cybercriminals taking advantage of the exploit to carry out crippling distributed denial-of-service (DDoS) attacks in the future.

The vulnerability was first discovered by security firm Checkpoint during a zero-day Satori attack last year. The firm quietly reported the vulnerability to Huawei for a fix.

"The proof of concept code was not made public to prevent attackers from abusing it," Ankit Anubhav, principal researcher at NewSky Security wrote in a blog post. "However, with the release of the full code now by the threat actor, we expect its usage in more cases by script kiddies and copy-paste botnet masters."

The security firm added that it found usage of the same exploit when analysing snippets of the Brickerbot source code in December, implying that the code has been in the hands of nefarious threat actors for a while now.

NewSky Security has not shared the link to the leaked working code to prevent it from being misused by threat actors.

Huawei has already released a security patch to protect its devices against the remote code execution vulnerability.

"An authenticated attacker could send malicious packets to port 37215 to launch attacks," Huawei's security alert read. "Successful exploit could lead to the remote execution of arbitrary code."

NewSky Security further warned, "When an IoT exploit becomes freely available, it hardly takes much time for threat actors to up their arsenal and implement the exploit as one of the attack vectors in their botnet code.

"Prior to the Huawei bug, NewSky Security already observed the leakage of NetGear router exploit (aka NbotLoader), which lead to that code being integrated in well-known botnet Qbot."