Serious vulnerability in routers, Huawei HG532-already identified hundreds of thousands of attacks

Check Point experts specializing in providing solutions for network security, computer systems and the Internet of things, noticed the 23 November 2017 year increased network traffic on their honeypotach in Germany, the USA and Italy, which on port 37215 accept a larger number of TCP packets than usual. After a quick diagnosis, it turned out that the attacker found in Huawei router HG532 for sector SOHO (Small Office and Home Office) 0-day vulnerability and use it to infect edge devices, and later to DDoS attacks to other users of the Internet.

Map of attacks.

Botnet and DDoS attacks (TCP, UDP flood)

The vulnerability of the marked CVE-2017-17215 ID applies to UPnP (Universal Plug and Play), which is based in Huawei HG532 at TR-064 (full specification) and allows remote code execution on the device by port 37215. Solution for fast file sharing and management is convenient, but it also brings some risks, which is subject to the manufacturer's support. To put it bluntly, the security updates. Huawei (and not only) as a manufacturer of modems and routers using the TR-064 to automatic identification problems with the infrastructure of the Internet service provider (ISP) for example. When you change the parameters and change device settings, sometimes you may forget to limit or not too well to secure access to the server TR-064 from outside, which unfortunately can anyone used against a user.

An attacker can use the exploit and send a command to the device configuration by changing, at least in terms of DNS server settings. How serious the consequences can be frightening to think: an attacker will be able to issue your own DNS server and substitute any page with an encrypted protocol, for example. Bank website or portal social media (then, the best protection turns out to be a two-stage verification) or attach the router to Botnets and use the device to carry out DDoS attacks (as in this case), or as a proxy server to hide criminal action.

Employees Check Point reported the vulnerability to the manufacturer immediately after you have identified. With fast and efficient communication between security teams both producers was established very quickly update and signature to detect the attack.

It is suspected that the attack is a person representing himself as "Nexus Zeta", which the forum "HackForum" August 15, 2017, she founded the account and that registered the domain server C & C "nexusiotsolutions [.] NET "belonging to the botnet on email address nexuszeta1337 @ gmail [.] com

The researchers, leading the investigation, they noticed that the account named "NexusZeta" is also active in social networks (mostly on Twitter) and at github. Experts from Check Point stumbled upon a linked email address with Skype accounts and SoundCloud. These accounts are set up on the name Caleb Wilson/wilson37/Caleb Wilson 37, but unsure of the real name and the name of that person, of course, is not.

On one of the forums appeared such a request:

"hello, im looking for someone to help me compile the mirai botnet, and heard all you have to do is compile it and you have access to 1 terabit per second so please help me setup a mirai tel-net botnet".

According to the authors of the report, the person "Nexus Zeta" does not have such advanced knowledge, as first thought. "It is rather a hobbyist with a high incentive." However, this does not change the fact that "Nexus Zeta" took possession of the exploit on the 0-day vulnerability in Huawei equipment.

How to protect?

If the edge device has provided us Internet service provider, then you need to go "ask" about an immediate update or replacement of the device. You should also make sure that port 37215 or 7547 is accessible from the outside. In the last step you must perform the update router software, If any, will. Technical description the manufacturer Huawei shows that still deal with a privately reported vulnerability.

SHODAN shows about 50 devices in Poland with an open port 37215.


Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.