Assessing a country’s risk: Mirai/Satori, Argentina
Now, it appears someone is working on getting another pool of Mirai ready to rock and roll. And they may be using a vulnerability in a Huawei HG532. And I wonder if there is a concentration of these devices?
Now, i’ve built a query which I think is correct, looking for Huawei Internet Gateway Devices (IGD). And it suggests there is 241K of these devices out there. And, of these, 163K are in Argentina. Of these, nearly all are on Telefonica de Argentina, presumably supplied as part of their consumer Internet service. The next biggest pocket is Tunisia (42K), all run by TOPNET.
If we check into one a bit, we find that they do indeed use the affected port:
HTTP/1.1 200 OK LOCATION: http://192.168.1.1:37215/upnpdev.xml SERVER: Linux UPnP/1.0 Huawei-ATP-IGD CACHE-CONTROL: max-age=86500 EXT: ST: upnp:rootdevice USN: uuid:00e0fc37-2525-2828-2500-90671cb864bb::upnp:rootdevice
but perhaps only listening on the interior IP? They do have another ‘http-like’ service on port 4567, perhaps it is also vulnerable.
If we instead approximate the search with a query for HuaweiHomeGateway, we find 2.6M devices, again clustered by certain ISP/country (Saudi Arabia, Turkey, New Zealand, Mexico, United Kingdom representing the majority of the devices).
Checkpoint published information on the existence of, but not the details of, this vulnerability quite recently (2017-11-27, ~2 weeks ago).
More information on this iteration (Satori) is here.