Assessing a country’s risk: Mirai/Satori, Argentina

Mirai. It has done a ton of damage, attacking various routers and ip cameras etc. It was used to target Germany, so we know it can be used geographically.

Now, it appears someone is working on getting another pool of Mirai ready to rock and roll. And they may be using a vulnerability in a Huawei HG532. And I wonder if there is a concentration of these devices?

Now, i've built a query which I think is correct, looking for Huawei Internet Gateway Devices (IGD). And it suggests there is 241K of these devices out there. And, of these, 163K are in Argentina. Of these, nearly all are on Telefonica de Argentina, presumably supplied as part of their consumer Internet service. The next biggest pocket is Tunisia (42K), allĀ  run by TOPNET.

If we check into one a bit, we find that they do indeed use the affected port:

HTTP/1.1 200 OK
LOCATION: http://192.168.1.1:37215/upnpdev.xml
SERVER: Linux UPnP/1.0 Huawei-ATP-IGD
CACHE-CONTROL: max-age=86500
EXT: 
ST: upnp:rootdevice
USN: uuid:00e0fc37-2525-2828-2500-90671cb864bb::upnp:rootdevice

but perhaps only listening on the interior IP? They do have another 'http-like' service on port 4567, perhaps it is also vulnerable.

If we instead approximate the search with a query for HuaweiHomeGateway, we find 2.6M devices, again clustered by certain ISP/country (Saudi Arabia, Turkey, New Zealand, Mexico, United Kingdom representing the majority of the devices).

Checkpoint published information on the existence of, but not the details of, this vulnerability quite recently (2017-11-27, ~2 weeks ago).

More information on this iteration (Satori) is here.

Leave a Reply

Your email address will not be published. Required fields are marked *

*