The source code of the Satori internet-of-things (IoT) botnet was posted online on Pastebin, security researchers reported. In early December last year, Satori affected 280,000 IP addresses in just 12 hours, ensnaring numerous home routers to become part of its botnet.
Satori (also known as Mirai Okiru, and detected by Trend Micro as ELF_MIRAI.AUSR), which means “enlightenment” or “awakening” in Japanese (“okiru” means “to rise”), was pegged to be the successor of the infamous Mirai botnet, which similarly zombified routers and knocked high-profile sites offline. Like Satori, the original Mirai’s source code was also released publicly, and has since spawned iterations. Mirai-based attacks were recently spotted in Colombia, Ecuador, Panama, Egypt, Tunisia, and Argentina.
Satori exploits two vulnerabilities:
CVE-2017–17215 — a vulnerability in Huawei Home Gateway routers (Huawei HG532), patched last November 2017. Attacks that use an exploit for this vulnerability targets port 37215.
CVE-2014-8361 — a command injection vulnerability in Realtek SDK miniigd Universal Plug and Play (UPnP) SOAP interface (patched May 2015). Attacks that exploit this vulnerability target port 52869.
Initial feedback from Trend Micro’s telemetry revealed over 170,000 Satori-related detections in December 2017. The Satori-related attacks were prominent in Europe (Italy, France), North Africa and Middle East (Tunisia, Egypt), and South America (Colombia, Ecuador), as well as the U.S. and Japan.
Satori is a credible threat given the increasing popularity of IoT devices in homes and workplaces, and the adverse impact they can cause when compromised. Distributed denial-of-service (DDoS) attacks, Domain Name System (DNS)-changing malware, and cryptocurrency-mining malware are just some of the threats users and businesses can be exposed to. IoT devices can also suffer from significant performance slowdowns.
Here are some best practices for making routers and networks more resistant to attacks:
Update and/or strengthen their credentials to deter hackers from hijacking them
Keep the router or IoT device’s firmware and software updated to prevent attackers from exploiting security gaps
Use encryption to thwart attackers from snooping in on their network traffic, especially if the device is used in the workplace
Disable unnecessary or outdated components that can be abused by attackers and used as doorways into the device or systems that may be connected to it
Deploy additional layers of security such as intrusion detection and prevention systems
Trend Micro Solutions
Trend Micro Smart Home Network (SHN) provides an embedded network security solution that protects all devices connected to a home network against cyberattacks. Based on Trend Micro’s rich threat research experience and industry-leading deep packet inspection (DPI) technology, SHN offers intelligent quality of service (iQoS), parental controls, network security and more.
Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits and other similar threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect these kinds of attacks even without any engine or pattern update. These solutions are powered by XGen™ security, which provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.
Trend Micro Deep Discovery Inspector protects customers from Satori-related threats through these DDI rules:
3215: Command Injection via UPnP SOAP Interface – HTTP (Request)
3772: GAFGYT - HTTP (Request)
2261: GAFGYT - HTTP (Request)
Trend Micro Smart Home Network protects customers from Satori-related threats through these detection rules:
1133480 EXPLOIT Remote Command Execution via Shell Script -2