Script Kiddie Responsible for Large Satori Botnet

Security researchers believe that a recently discovered botnet of more than 250,000 routers was actually created by an amateur hacker with limited skills and not a sophisticated actor.

The router malware started spreading in November and has been dubbed Satori or Okiru by security companies. It is an updated version of Mirai, a botnet that was used to launch some of the largest DDoS attacks ever recorded, including one that took down major websites for users on the U.S. East Coast.

Mirai spread mainly via Telnet by taking advantage of weak or default credentials. However, Satori also incorporated exploits into its scans, particularly for a known remote command execution vulnerability in the Miniigd UPnP SOAP service running on some devices on port 52869 and a previously unknown vulnerability for a service running on port 37215.

The second vulnerability turned out to affect Huawei HG532 home gateway devices, which exposed a LAN-side CPE (customer premises equipment) configuration service called TR-064 to the internet through UPnP. Huawei was notified and released a security advisory and temporary fixes.

The use of a zero-day exploit, which is unusual for a router botnet, suggested a potentially sophisticated attacker. However, researchers from Check Point believe Satori’s creator is an amateur hacker using the online alias Nexus Zeta.

He was tracked down through an email address that was used to register one of the botnet’s command-and-control domain names. The researchers also believe they’ve found his Twitter, GitHub, Skype and SoundCloud accounts, some of which were registered using the name Caleb Wilson (caleb.wilson37 / Caleb Wilson 37), though it’s not clear whether this is actually his real name.

“When searching for Nexus Zeta 1337 we found an active threat actor on HackForums carrying the avatar name ‘Nexus Zeta,’ and who has been a HackForums member since August ’15,” the Check Point researchers said in an analysis. “Although he is rarely active in such forums, the few posts he does make disclose a less professional actor, though interestingly his most recent focus was on an initiative to establish a Mirai-like IoT botnet.”

It’s not clear how Nexus Zeta came into possession of the Huawei zero-day exploit, but regardless of whether he found it or bought it, it’s scary that a relatively unskilled attacker can build a large botnet capable of devastating attacks. It highlights the poor state of router and IoT security across the internet.

Remotely Exploitable Flaws Patched in Pelco Enterprise Video Management System

The VideoXpert enterprise video management system from Pelco, a subsidiary of Schneider Electric, received a firmware update to address three medium and high-risk vulnerabilities.

VideoXpert is a software-based solution used by many large organizations from around the world, as it can be installed on their existing hardware.

One of the vulnerabilities allows attackers to execute a directory traversal attack that can result in authentication bypass or session hijack. The second flaw allows viewing potentially sensitive web server files and the third allows attackers to replace files, which can result in arbitrary code execution with elevated privileges.

According to an advisory by Schneider Electric, the vulnerabilities were fixed in VideoXpert v2.1, released earlier this month. The U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) also published an advisory this week, rating one of the flaws with 7.1 (High) on the CVSSv3 scale and warning that all of the bugs require a low skill level to exploit.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin