A so-called “script kiddie” is behind the recently discovered Satori botnet that has scared security researchers because of its rapid rise to a size of hundreds of thousands of compromised devices.
Researchers say that a hacker named Nexus Zeta created Satori, which is a variant of the Mirai IoT malware that was released online in October 2016.
Satori botnet used Huawei zero-day
Satori, which is also tracked under the name of Mirai Okiru, came to life around November 23, when the malware started spreading on the Internet.
Satori was extremely virulent, infecting many devices from the get-go. Unlike previous Mirai versions, it did not rely on active Telnet-based brute-force attacks but used exploits instead.
More precisely, it scanned port 52869 and used CVE-2014-8361 (UPnP exploit affecting Realtek, D-Link, and other devices), and it scanned port 37215 and used an unknown (at the time) exploit.
It was later discovered that this last exploit was actually a zero-day (CVE-2017-17215) that affected Huawei HG532 routers. Huawei issued updates and a security alert a week after the attacks started, after being notified by Check Point researchers.
Bleeping Computer reported about Satori on December 5, when the botnet started popping up on the honeypots of various security researchers and cyber-security firms. At the time, the botnet counted over 280,000 bots, with the vast majority located in Argentina.
Since then, the botnet started heavily infecting devices at Internet service providers located in Egypt, Turkey, Ukraine, Venezuela, and Peru.
Satori botnet C&C servers taken down
Over the past weekend, representatives from numerous ISPs and cyber-security firms intervened and took down the main Satori botnet C&C servers, according to industry insiders who spoke with Bleeping Computer. At the time it was taken down, the botnet counted between 500,000 and 700,000 bots, according to rough estimations.
Immediately after the takedown, scan activity on ports 52869 and 37215 saw a huge spike, according to insight provided to Bleeping Computer by Netlab researchers. The most likely scenario is that Nexus Zeta is looking to scan and find bots for another Satori instance.
To read the original article: