IoT malware targeting zero-day vulnerabilities
Once it became evident that IoT devices can be relatively easily enslaved in botnets and that even their limited power can be used for a variety of nefarious purposes, it was open season for malicious actors.
First, they targeted IoT devices with default or weak passwords, and manufacturers and users began changing them. Then they used known vulnerabilities, and IoT vendor increased their efforts to push out patches. Now, some botmasters are making a concentrated effort to find unknown flaws they can exploit.
One of these is the person behind the Satori malware, which is based mainly on Mirai code.
Satori’s evolution
The first variant of the threat was flagged in April 2017, the second in August, and the third just before the end of the year.
Its development followed the progression delineated above:
Satori v1 scanned the Internet and looked for devices that had an open telnet port and a default password or one that is easily brute-forced.
Satori v2 added new passwords to the list of passwords to try and, judging by one of them, seems to have concentrated on harvesting bots in South America.
Satori v3 ignores password attacks, and tries to deploy exploits for two remote code execution flaws:
- CVE-2014-8361, affecting the miniigd SOAP service in Realtek SDK, and
- CVE 2017-17215, a vulnerability in Huawei’s HG532e home gateway patched in early December 2017.
According to evidence unearthed by Palo Alto Networks researchers, the version of Satori exploiting the Huawei flaw was active in late November 2017 – before the vendor issued a patch and before they knew about the flaw.
The researchers also believe that Satori’s author has started to reverse engineer the firmware of many IoT devices to collect device’s typical information and discover new vulnerabilities.
Apparently, the earlier Satori version indiscriminately killed processes on the compromised device. But, in later variants, the malware checks whether a compromised device is a specific device type, and then skips killing processes on four types of IoT devices. The researchers believe he is identifying the device type for future attacks.
“If this is correct, we may see future versions of Satori attacking other unknown vulnerabilities in other devices,” they concluded.