Spam-spewing IoT botnet infects 100,000 routers using five-year-old flaw
Security researchers are warning that a botnet has been exploiting a five-year-old vulnerability to hijack home routers over the last couple of months.
Analysts working at Qihoo 360’s Netlab team say that they first identified the new botnet in September 2018. They have dubbed it “BCMUPnP_Hunter” because of its exploitation of a security hole in the Broadcom UPnP SDK first discovered in 2013.
UPnP (also known as Universal Plug and Play) is the umbrella term for the networking protocols used to connect all manner of computers and IoT devices to one another. It is not uncommon to find that devices have UPnP enabled by default.
Back in 2013, the Broadcom UPnP vulnerability was found on Cisco Linksys (now Belkin) WRT54GL routers, and a fix was created. However, what raised particular concerns at the time was that the vulnerability was discovered to be presented in the firmware of many routers based on the Broadcom chipset, manufactured by a wide range of companies.
Five years later, the BCMUPnP_Hunter botnet is scanning the internet for exposed UPnP interfaces on port 5431, and taking advantage of the flaw to seize control of unsecured routers, in order to run malicious code remotely upon them. No password required.
According to the researchers, once BCMUPnP_Hunter has hijacked a router it communicates with “well-known mail servers such as Outlook, Hotmail, Yahoo! Mail.” There is a high likelihood that the purpose of this is to distribute spam messages.
Unlike many of the IoT botnets at large today, BCMUPnP_Hunter is not based upon source code that has been leaked online, and appears to have been created from scratch. It has a complicated multi-stage infection mechanism that sets it apart from the crowd. In the opinion of the researchers who discovered the botnet, “it seems that the author has profound (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Graham Cluley. Read the original post at: https://www.tripwire.com/state-of-security/off-topic/iot-botnet-infects-100000-routers/