Anarchy also plans to target CVE-2014-8361, a vulnerability in Realtek routers exploitable via port 52869.
Anarchy also plans to target CVE-2014-8361, a vulnerability in Realtek routers exploitable via port 52869.

A malware author who goes by the alias “Anarchy” has built an army of 18,000 botnets in a single day by hacking Huawei routers using a single exploit.

The threat actor exploited the CVE-2017-17215 in Huawei HG532 routers which is a well-known exploit that has already been abused by at least two versions of the Satori botnet and many of the smaller Mirai-based offshoots, NewSky security researcher Ankit Anubhav tweeted.

Anarchy also told Anubhav he also plans to target CVE-2014-8361, a vulnerability in Realtek routers exploitable via port 52869.

“The attacker Anarchy has shared a list of infected victim IPs which at that point, I am not making public for obvious reasons,” he tweeted. “The motives are not clear as the attacker only told he is doing this "to make the biggest baddest botnet in town," he said adding that the motive is probably to use them for DDoS attacks.

Bleeping Computer researchers noted an uptick in the number of compromised routers in a July 19 blog post. Researchers added the bigger issue is that the threat actor was able to build up the massive botnet so easily highlighting the poor state of SOHO router security.

Sean Newman, Director of Product Management for Corero Network Security pointed out that this is the second time in a few days that we've seen reports of Internet-facing devices remaining vulnerable for extended periods of time after patches exist to secure them.  

“First, it was passwords for thousands of DVRs being exposed by the ZoomEye search engine, exploiting a vulnerability from 2013,” Newman said. “Now it's Huawei and Realtek routers, being recruited by the thousands into a botnet, using vulnerabilities from 2017.”

He went on to say this highlights one of the key issues with IoT security is that the owners of the devices still haven't got around to, or been able to, upgrade flaws despite the vendors notifying and releasing updates.

“Vendors can't force users to upgrade so, whilst this behavior continues, there remains no end in sight for IoT devices being acquired for various nefarious activities including use in botnets for launching DDoS and other large-scale criminal campaigns,” Newman added.