Home / / New IoT malware picks up where Mirai left off

New IoT malware picks up where Mirai left off

Satori, derived from Mirai, exploits zero-day home router vulnerability

New IoT malware picks up where Mirai left off
Hackers used Mirai widely-available capabilities to launch a brute password force attack.

Researchers at Palo Alto Networks’ Unit 42 have unmasked a new malware family, dubbed Satori, which exploits vulnerabilities in Realtek SDK chipsets and in Huawei’s HG532e home gateway.

Huawei patched the HG532e router in early December 2017.

Satori is a derivative of Mirai, an IoT malware that caused widespread chaos two years ago by hijacking vulnerable surveillance cameras and home routers. These were turned into a massive botnet that that brought down several websites all over the world through DDoS attacks.   

Satori is a classic zero-day attack, researchers say: an attack against a previously unknown vulnerability for which no patch was then available.

Satori, as a derivative of Mirai, reuses some of Mirai’s source code to achieve the telnet scanning and password brute force attempting functionalities. Satori also identifies the type of IoT device and shows different behaviours in different device types. Palo Alto sleuths believe that the Satori’s author has started to reverse engineer the firmware of many IoT devices to collect device’s typical information and discover new vulnerabilities. If this is correct, it may lead to future versions of Satori attacking other unknown vulnerabilities in other devices, the researchers conclude.

As Mirai’s source code is open sourced in Github, attackers could easily reuse Mirai’s code to implement the network scanner and the password brute force login modules for launching a telnet brute password force attack or other attacks. The Satori family reuses some Mirai code, including the network scanner, telnet password attempting and watchdog disabling.

Palo Alto Networks has released the IPS signature (37896) for the zero-day vulnerability exploited by Satori.

Follow us to get the most comprehensive IT Security news delivered fresh from our social media accounts on Facebook, Twitter, Youtube, and listen to our Weekly Podcast. Click here to sign up for our weekly newsletter on curated technology news in the Middle East and Worldwide.

REGISTER NOW | Webinar Event | Security you can bank on – Safeguarding the Middle East’s financial sector

Presented in partnership with security and network specialist Cybereason, the second in the three part webinar series will bring together a panel of experts to discuss how banks and financial institutions are evolving their service offering while simultaneously staying one step ahead of the cyber criminals who seek to bring their operations crashing to the ground.