The GCHQ is monitoring China's Huawei
The GCHQ is monitoring China's Huawei

An amateur hacker who has titled himself ‘Nexus Zeta' has managed to exploit the Huawei home router HG532 by finding all the necessary information on online forums just a few days before carrying out the attack. Check Point, which discovered the attack, commented that it is extremely bad for an unskilled hacker to have access to these skills because the results can have very dangerous consequences.


was discovered Hundreds of thousands of attempts to exploit the zero-Day vulnerability in the Huawei home router HG532 have already been found in the wild across the world. It seems the aim of ‘Nexus Zeta' was to create a new version of the Mirai botnet and cause a huge amount of damage with it.


The identity of the attacker was initially a mystery, with speculation running from advanced nation state perpetrators to notorious threat gangs.


Because of the quick discovery of the exploitation, Huawei was able to patch the vulnerability and update its customers to say that the issue had been dealt with.


Maya Horowitz, threat intelligence group manager at Check Point commented to SC that the actor was not caught despite being an ‘amateur', “because he was viewed as “amateur” from technical perspective, asking non-advanced questions in online forums.” This also relates to the fact that he's using the same nickname in various forums and platforms. Nonetheless, he was wise enough not to publish his genuine name.


Most global attacks are “spray and pray”, meaning that there isn't a specific target. Thus, the UK is as affected as any other country. The best example is, of course, WannaCry and the NHS infections.

Horowitz adds, “As far as we can tell, we identified the attack the day it started, and immediately reported the Zero-Day vulnerability used in the attack on Huawei. We base this assumption on: 1) the fact that it was caught by heuristic signatures on our sensors, and 2) that it was the same day the threat actor asked questions regarding this bot in online forums.”

The only thing users should do in regards to this Zero Day, advises Horowitz, is to change the default password on their router (this is also Huawei's suggestion on its Security Notice).

Those who use this router behind a Firewall / Intrusion Prevention System, should also configure those to block the exploit's traffic.

Most users of this router are home users, who do not typically log in to their router's interface and don't necessarily have the know-how, and so unfortunately is is assumed most devices would stay vulnerable. “We desperately need IoT device manufacturers to make security a top priority and not to leave the users accountable,” says Horowitz.


Julian Palmer, VP engineering, Corero Network Security commented in an email to SC Media UK: “IoTs, including IoT routers are vulnerable devices and are increasingly frequent targets for recruitment into a botnet. The publication of code to exploit a vulnerability in Huawei HG532 routers adds to the inventory of potential DDoS attack nodes, a concerning trend in the cyber-security space. This vulnerability simply adds fuel to the fire of botnet recruitment activity that could be poised to take aim at any victim, at any time.

“It seems the exploit method would allow injection of commands within a “firmware update” command, and could result in malicious code being installed on the router without later detection.  The vulnerability still requires authenticated access, so the router must still be “hacked” first by gaining access. The old problem of “default passwords” is the most likely the problem in this scenario. Therefore, that makes this new vulnerability not so different to Mirai, which brute forced those logins when left at defaults.

“In terms of force, the CPUs in the routers are larger than the exploited cameras used in Mirai, but are not going to be vastly stronger. However, it doesn't make much difference. It doesn't take a lot of CPU to launch these types of attacks.

“We advise organisations that depend on the Internet to conduct business, and value the availability and security of their customers to take proactive mitigation measures against DDoS attacks. Relying on device manufactures to increase their security standards, or home users to take action on patching and resetting default password credentials, is a losing strategy for DDoS defence.”