Hacker releases Satori malware code on Pastebin over Christmas break

Copycat attacks are expected

A known threat actor used the Christmas break to release working code for the Satori malware, which has been weaponised into the Satori and BrickerBot botnets.

Ankit Anubhav, principal researcher for NewSky Security, wrote a blog about the code being posted to Pastebin.

The malware exploits a vulnerability in some Huawei routers known as CVE-2017-17215, and was discovered during a zero-day vulnerability check by Checkpoint. The code was not released at the time, but with the posting to Pastebin further attacks using it are expected.

The same vulnerability was found to be used in the BrickerBot source code, released in December, as well as the same attack vector, indicating that both Satori and BrickerBot copied the exploit source code from the same source.

"IoT attacks are becoming modular day by day", writes Anubhav. "When an IoT exploit becomes freely available, it hardly takes much time for threat actors to up their arsenal and implement the exploit as one of the attack vectors in their botnet code."

Other botnets, notably Mirai, have made use of similar exploits (CVE-2014-8361 and TR-64) in the past. These networks of IoT devices are used in DDoS attacks to take down websites and services, although normally a software can fix the vulnerability.

BricketBot, which was released in April, claimed more than 2 million devices. It was able to brick IoT products by filling the flash storage of the devices with junk, rendering them useless and requiring a firmware reinstall to bring them back to life. However, in many cases, the firmware is difficult to procure, meaning that the devices need to be replaced altogether.

‘Janitor', the grey hat hacker who authored the malware, claimed to be doing the world a service by removing unsafe devices from circulation:

"...if somebody launched a car or power tool with a safety feature that failed nine times out of 10 it would be pulled off the market immediately. I don't see why dangerously designed IoT devices should be treated any differently and after the Internet-breaking attacks of 2016 nobody can seriously argue that the security of these devices isn't important."