Nexus Zeta behind botnet that weaponises router exploit to enlist further vulnerable IoT devices. The author of Satori botnet may also be behind two new Mirai variants called Masuta and PureMasuta.
According to a blog post by researchers at NewSky Security, the hacker, who goes by the name Nexus Zeta, has created a new version that weaponises a router exploit, enabling the botnet to assimilate vulnerable IoT devices and multiply.
Researchers managed to acquire the source code of Masuta (Japanese for “master”) botnet in an invite-only dark forum. Further investigation uncovered a link between Satori and Masuta.
Last month, researchers identified the hacker Nexus Zeta, exploiting a zero-day flaw in Huawei routers to accelerate Satori attacks.
“The WHOIS information for the URL also states contact as nexuszeta1337@gmail(.)com, indicating that Nexus Zeta is not a one hit wonder creator of Satori, but also has been involved in the creation of the Masuta botnet,” said Ankit Anubhav, principal researcher at NewSky Security. He added that the Masuta attacks have been on the rise since September as honeypots observed 2400 IPs involved in the botnet in last three months.
But researchers said that with the second variant, called PureMasuta, what makes it stand out is the usage of EDB 38722 D-Link exploit.
The weaponised bug introduced in PureMasuta botnet is in the HNAP (Home Network Administration Protocol) which itself is based on the SOAP protocol. It is possible to craft a SOAP query which can bypass authentication by using hxxp://purenetworks.com/HNAP1/GetDeviceSettings, said researchers.
“Also, it is feasible to run system commands (leading to arbitrary code execution) because of improper string handling. When both issues are combined, one can form a SOAP request which first bypasses authentication, and then causes arbitrary code execution,” said Anubhav.
In examining the PureMasuta botnet shell script downloaded from a command-and-control server, Anubhav fount the both variants shared the same server.
“We noticed that the command and control server (18.104.22.168) is same as used in the original Masuta variants, hence indicating that PureMasuta is an evolved creation of the same Masuta threat actors,” said Anubhav.
The researcher added that Nexus Zeta is no stranger when it comes to implementing SOAP related exploits.
“The threat actor has already been observed in implementing two other known SOAP related exploits, CVE-2014–8361 and CVE-2017–17215 in his Satori botnet project. A third SOAP exploit, TR-069 bug has also been observed previously in IoT botnets. This makes EDB 38722 the fourth SOAP related exploit which is discovered in the wild by IoT botnets,” he added.
Liviu Arsene, senior e-threat analyst at Bitdefender, told SC Media UK that if possible, disabling UPnP and enforcing strong authentication credentials should – to some extent – prevent this type of Mirai variant from taking over affected devices. “It's also recommended that devices should always be updated to the latest firmware build and all security patches installed – provided they are available – as this prevents threat actors from actively exploiting them in the wild,” he said.
Craig Young, security researcher for Tripwire's Vulnerability and Exposures Research Team (VERT), told SC Media UK that the current generations of IoT malware are limited to password guessing attacks and direct exploitation of known vulnerabilities in devices directly exposed to incoming connections from the Internet.
“My expectation however is that over the next 5 to 10 years (or maybe sooner) we will see IoT botnet operators move beyond this low-hanging fruit and start propagating their malware through unauthenticated CSRF exploits. (CSRF, or cross-site request forgery is an attack in which web browsers can relay malicious requests to devices on the local network.) “ he said.