Hacker builds massive Huawei-based botnet by enslaving 18000 routers in just 24 hours

  • A malware author built a huge botnet by ensnaring 18,000 Huawei routers in just a day.
  • A hacker going by the name "Anarchy" claimed responsibility for the botnet.

An IoT hacker has managed to build a massive botnet in just 24 hours by ensnaring nearly 18,000 vulnerable Huawei routers. Researchers from NewSky Security first spotted the botnet that was later confirmed by several other security firms including Qihoo 260 Netlab, GreyNoise and Rapid7.

The huge botnet was built by exploiting a critical vulnerability in Huawei HG532 routers - CVE-2017-17215 - that can be exploited through port 37215. The well-known exploit has already been abused by at least two previous versions of the Satori botnet and other Mirai variants.

According to Qihoo researchers, a significant uptick in scans for this vulnerability began Wednesday morning. By evening, NewSky security researcher Ankit Anubhav said the botnet had enslaved 18,000 routers.

Who is Anarchy?

A hacker going by the name "Anarchy" claimed responsibility for the botnet and even shared a list of IP addresses victimized by the botnet with Anubhav. However, Anubhav believes Anarchy might actually be a well-known malware author previously identified as Wicked who created variations of the infamous Mirai malware. The Mirai variants - Wicked, Omni and Owari - have been previously used for DDoS attacks.

"The motives are not clear as the attacker only told he is doing this 'to make the biggest baddest botnet in town'," Anubhav tweeted. "Probably DDoS. It's painfully hilarious how attackers can construct big bot armies with known vulns."

Anarchy also told Anubhav about plans to target CVE-2014-8361, a vulnerability in Realtek routers that can be exploited via port 52869, to ensnare more devices.

Security firms Rapid7 and Greynoise have already confirmed that scans for Realtek devices are already soaring.