The Mirai botnet was (and is) incredibly powerful. As is the case with any powerful cyberattack method, there will always be variations and expansions to capitalize on its strength. Mirai is no different, as variants have been reported within months of the worst attacks involving the botnet. Another botnet derived from Mirai, which has been on the radar for some time, has suddenly become much more active much to researchers’ alarm. Entitled Satori, which perhaps alludes to the Zen Buddhist concept of Enlightenment, the botnet has been studied ever since it popped up a month ago. The primary research term monitoring Satori is from the Chinese security company Qihoo 360 Netlab. In a report published in early December, 360 Netlab researchers noted how a new version of Satori started to "awaken" across 280,000+ IP addresses over the course of 12 hours.
The new version of Satori seemingly activated without any warning, and once active, it began scanning ports 37215 and 52869 in various locations. What makes Satori so concerning to InfoSec professionals is that there are numerous functions that make it different from other botnet variants. Take for instance the scanning of ports. According to 360 Netlab, the bot performs this in a unique manner:
The bot itself now does NOT rely on loader|scanner mechanism to perform remote planting, instead, bot itself performs the scan activity. This worm-like behavior is quite significant.
The worm behavior is significant because as Catalin Cimpanu noted in his report on Satori, the IoT botnet is “able to spread by itself without the need for separate components.” Much of the botnet’s growth is due to exploits in the previously mentioned ports (37215 and 52869). The first exploit is a zero-day that exists in Huawei Home Gateway routers. As stated in the threat report by Checkpoint, this zero-day allows for remote arbitrary code execution.
The second exploit that Satori leverages is a rather old one (CVE-2014-8361). This particular exploit from 2014 affects Realtek devices. It was patched a while back, so Satori scans on port 52869 are less successful, but, of course, there is no doubt unpatched devices still out there.
What has security researchers worried is that there is no real understanding of how this botnet will be used. Is it gearing up for an attack in the near future, or perhaps will it unload at a later unexpected date when initial fervor dies down? The countries where Satori is scanning devices keeps growing at an alarming rate, and one has to wonder when the attacks will truly begin.
For now, cybersecurity researchers can only study Satori and prepare defenses against it.
Photo credit: Pixabay