Satori has infected more than 280,000 IP addresses in as little as 12 hours, controlling hundreds of thousands of home routers with the newly discovered zero-day vulnerabilities more quickly than Mirai – and by comparing Mirai’s power to A gun, then Satori is a cannon. However, this “cannon” is currently on the same scale as a time bomb, but it has not yet started its course.
Image source: bleepingcomputer
Satori is even more horrible than Mirai
Satori was initially tracked on behalf of Mirai Okiru and showed a trail around November 23. Many security companies claim Satori’s vast majority of “broilers” are located in Argentina. Since then, the botnet began to wreak havoc in Egypt, Turkey, Ukraine, Venezuela, and Peru.
360 Institute for Cybersecurity, Fortinet, and Check Point released research findings on Satori on their respective blogs on December 5, December 12 and December 21 (Note: 360 Institute for Cybersecurity is still in November Released on the 24th a related security warning “early warning of security threats: new Mirai botnet variant is actively spreading on ports 23 and 2323”).
In a blog post on December 5, “Security Threat Warning: Mirai Variant Satori is Similar to Worms on Ports 37215 and 52869,” 360 Institute for Cyber Security said: “In our previous blog, we mentioned about 10 Thousands of independent scanning IPs from Argentina are scanning ports 2323 and 23 and are confirming that this is a new variant of Mirai In the past few days scanning has become more severe and more countries have appeared on our ScanMon platform After careful analysis we saw more of the part, realizing that the previous 2323/23 port scan was just a small part of the huge puzzle. “
It can be said that Satori is essentially similar to a worm and its source code is derived from Mirai and is an upgrade of Mirai, but Satori is much more “poisonous” than Mirai.
- After infected with IoT devices, Mirai will further try to find the vulnerable device by telnet scanning and use the Mirai Trojan program to infect. Instead of using the scanner component, Satori utilizes two embedded vulnerabilities to Infects remote devices connected to ports 37215 and 52869. This means that Satori approximates the Internet of Things worm and spreads itself without the need for additional components.
- Mirai looks for vulnerable devices by scanning ports 2323 and 23, Satori is a device that connects to ports 37215 and 52869 and has either of the two known vulnerabilities, but does not fix it.
Frighteningly, one of the vulnerabilities was later certified as 0day (now available for fixes).
Satori is directed at the Huawei router
Li Fengpei told Lei Feng network, after everyone concerned about the point in the camera, in fact, the router has now exceeded the camera, became the “first broiler.”
Checkpoint and Fortinet were directly named, saying that this Satori is running a Huawei router. Moreover, the above 0day exists in a Huawei router.
Lei Fengwang noticed that Huawei released a security announcement on November 30, “There is a remote code execution vulnerability in the HG532 product.” (Updated on December 22), acknowledging the existence of a Huawei security router vulnerability, And made recommendations for restoration.
On November 27, 2017, Huawei received a notice from Check Point Software Technology Research Division that there was a remote code execution security vulnerability (CVE-2017-17215) for the Huawei HG532 product. Meanwhile, Check Point issues security alert CPAI-2017-1016, but the alert does not include the vulnerability details. Huawei launched the first survey analysis. It has been confirmed that the loophole exists. The authenticated attacker can send malicious packets to the port of device 37215 to attack and successfully exploit the vulnerability to execute arbitrary code remotely.
The following measures can be taken to circumvent or prevent this vulnerability. For more information, contact your local service provider or Huawei TAC.
1) Configure the device’s built-in firewall function
(2) modify the default password
(3) operator-side deployment of the firewall
Customers can deploy Huawei NGFW or data center firewall products and upgrade the IPS signature database to the latest version released on December 1, 2017 (IPS_H20011000_2017120100) to detect and protect this vulnerability from the network layer.
Huawei has always followed the industry practice of life cycle management and has established a life cycle management system that specifies the product life cycle strategy and product termination strategy. For non-full stop service Huawei has communicated with the customer and provided a solution according to the customer’s suggestion. Huawei has discontinued the service. Huawei recommends that users avoid or prevent this problem by using evasion measures or replace the service with a newer model.
Relevant investigations are ongoing, and Huawei PSIRT will update the security bulletin. Please pay close attention to the security bulletin for this vulnerability.
According to a Zhongguancun Online report, the Satori-controlled routers are provided to customers by two of the largest carriers, allowing operators to quickly locate and fix device vulnerabilities.
According to Bleeping Computer, many botnets and cybersecurity companies intervened in the past week and won C & C servers for the Satori botnet. After these servers were taken, the number of botnets vanished from 500,000 to 700,000 units.
But the other did not give up resistance. After the server was captured, 52869 and 37215 port scanning activity showed a huge peak. Most likely, Satori’s authors are thinking of trying to scan ports and look for broilers.
Source: Bleepingcomputer, Source: 360 Institute of Cyber Security
In a November 29 CheckPoint article, Check Point researchers revealed the identity of the author of the Satori botnet, Nexus Zeta.
The researchers said they have tracked down to him because the domain name used by the author to sign up for Satori’s infrastructure has an e-mail address that is highly associated with an account with HackForums, one of the most popular hacking forums.
Check Point said: “Although he was not very active in such a forum, he was at a loss.”
The day before the Satori event was discovered, November 22, a forum post showed that Nexus Zeta was asking for help to create a Mirai botnet (Editor’s Knockout Blackboard: Satori is a variant of Mirai).
However, according to Bleeping Computer, Satori has not been identified as having been associated with any major source of DDoS attacks over the past few weeks.
Li Fengpei believes that Bleeping Computer’s point of view is limited to “recent + major attacks”, which is consistent with what they have observed. However, the situation may not be the same if we trace it forward.
The aforementioned blog post of 360 Institute for Cyber Security pointed out: “We also suspect this attack is related to another IoT IoT-related attack that took place in China in August 2017. Perhaps we will release another blog elaboration later. ”
Even more frightening is that Satori’s story is far from over, and we have to worry about other botnets and attacks.
Li Fengpei on Lei Feng said that as Mirai’s source code has been open on the Internet, the transformation of Mirai, in its variant form of identity, the construction of a huge botnet has long been difficult. Moreover, the attacker can find a new domain name is completely replaced, the identity is very secretive.
Reference: bleepingcomputer
