July 30, 2018

Satori Demonstrates Attackers’ Continued Drive for Zero-Day Exploits

Confirmed as a variant of the notorious Mirai malware, the emergence of Satori has shed light once again on the attackers’ incessant efforts to exploit zero-day vulnerabilities. In fact, since its discovery last December, Satori has evolved into multiple forms. They differ from their predecessors in the way of propagation. And, this time they have focused on targeting certain home router models.


To hijack a device, Satori will first look for an RCE vulnerability. If it exists, Satori will exploit it prompting the device to download from a remote server and run a precompiled, executable code that targets vulnerabilities of certain home router models.


Instead of using a list of known login credentials like Mirai, Satori proved able enough to remote command execution without authentication. After compromising a router, Satori has the additional flexibility to turn it into a member of an IoT botnet to launch DDoS attacks. This is very different from the Mirai, which attempts to break into IoT devices by brute force via telnet with a list of default or easily guessable usernames and passwords.


The Satori botnet first garnered industry attention in December 2017, when it hit Huawei home routers by rapidly leveraging newly discovered RCE vulnerability (CVE-2017-17215). The authenticated perpetrators could send malicious packets to port 37215 available for WAN in the implementation of TR-064 in the Huawei router. The remote execution of arbitrary code can take place once the exploit had succeeded.


In May 2018, barely days after RCE vulnerabilities CVE-2018-10561 and CVE-2018-15062 were published, Satori was able to target GPON-capable routers, manufactured by South Korean vendor Dasan, and subsequently D-Link’s DIR-620 routers, to gain control via the exploitation of a then 2-year old CVE. (Note: GPON stands for Gigabit Passive Optical Network and is a type of a telecommunication technology for supporting internet connections via fiber optics lines.)


By mid-June 2018, the Satori Botnet was in full swing. The new target was XiongMau uc-httpd 1.0.0 Internet of Things (IoT) device (CVE-2018-10088), which bears similarity to the exploitation of Huawei home routers six months earlier. Both cases involved perpetrators being able to execute commands injected into HTTP POST requests. According to Shodan, there are currently 585,760 XiongMau uc-httpd 1.0.0 devices connected to the Internet, all with the same vulnerability and potential to be exploited.


July this year, the industry saw a new protagonist going by the name ‘Anarchy’ infecting 18,000 Huawei routers via CVE-2017-17215, the exact same vulnerability that Satori exploited in December 2017. If this trend proves true, we’ve but seen the tip of the iceberg when it comes to infected routers.


What we have witnessed of IoTs and exploits is that Botnets like Satori are keeping very close track of zero-day RCE vulnerabilities, and are evidently very efficient at building and growing their Botnets based on these vulnerabilities. In Anarchy’s case, it is evident that even 8 month old vulnerabilities are still very much prone to being exploited as manufacturers face real challenges deploying security patches to their devices around the world.


Why is it so difficult to secure IoT?


Many IoT devices and systems are poorly designed and implemented, with security coming as a second thought. Moreover, they often use diverse protocols and technologies, and yet are connected to the same infrastructure within the organization. Therefore, making configurations and implementing security solutions turn out to be complicated. A long, complex lifecycle in which devices are “always on” and not rebooted often makes continuous threat prevention imperative. It is challenging to deliver critical security updates while ensuring uptime.




In the foreseeable future, security will remain a big challenge for IoT. Billions of devices are now connected as an extension of the internet. Security architecture is much needed to guard access to these devices and protect the data shared over IoT. Having said that, many of these accessible IoTs, intended or unintended, will remain the largest target for hackers and attackers owing to the lightweight, shoddy security features around them.


There is no silver-bullet solution to IoT security. Malware that target zero-day vulnerabilities will continue to mutate and reshape the cyberthreat landscape. Not only will they renew threats towards data security and availability of the connected devices, but will also provide more resources for attackers to build botnets.

Get the latest cybersecurity news and expert insights direct to your inbox

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.