Hacker Ensnares 18,000 Huawei Devices Into Massive Botnet In Just 24 Hours

Hauwei is far and away best known for its smartphones and, to some extent, it's line of laptops like the Matebook X Pro. However, it also manufacturers routers and gateways, and one of its older models, the HG532, contains a vulnerability that a malware author exploited to create a fairly large botnet. What's particularly frightening about this is that it only took the malware author a single day to wreak havoc.

The new botnet currently spans over 18,000 routers, and is presumably growing. It was initially spotted by security researchers from NewSky Security and later confirmed by several other outfits.
According to the findings, the vulnerability can be exploited through port 37215. To be clear, this is not a zero-day exploit that is at play. Instead, the malware author took advantage of a high-profile vulnerability that several other botnets has previously exploited. It's a remote code execution vulnerability that's been documented as CVE-2017-17215, and for which Huawei released a security notice in November of last year.

"An authenticated attacker could send malicious packets to port 37215 to launch attacks. Successful exploit could lead to the remote execution of arbitrary code," Huawei said at the time.

It's not clear why the vulnerability still exists after all this time, only that an attacker who goes by the name "Wicked" is actively exploiting it. The malware author bragged about this misdeed with NewSky Security, saying he was motivated by money.

"Money plays a big part in it, but it's also fun to write these types of things. The monetary gain from this does come from web stressers that may rent our botnet out for a period," Wicked said.

Wicked also said that he has begun testing a vulnerability in Realtek routers using port 52869. If successful, we could be looking at an even bigger botnet that what he has already been able to assemble in a short period of time.
Tags:  security, botnet, Huawei