Analysts working at Qihoo 360’s Netlab team say that they first identified the new botnet in September 2018. They have dubbed it “BCMUPnP_Hunter” because of its exploitation of a security hole in the Broadcom UPnP SDK first discovered in 2013.
UPnP (also known as Universal Plug and Play) is the umbrella term for the networking protocols used to connect all manner of computers and IoT devices to one another. It is not uncommon to find that devices have UPnP enabled by default.
Back in 2013, the Broadcom UPnP vulnerability was found on Cisco Linksys (now Belkin) WRT54GL routers, and a fix was created. However, what raised particular concerns at the time was that the vulnerability was discovered to be presented in the firmware of many routers based on the Broadcom chipset, manufactured by a wide range of companies.
Five years later, the BCMUPnP_Hunter botnet is scanning the internet for exposed UPnP interfaces on port 5431, and taking advantage of the flaw to seize control of unsecured routers, in order to run malicious code remotely upon them. No password required.
According to the researchers, once BCMUPnP_Hunter has hijacked a router it communicates with “well-known mail servers such as Outlook, Hotmail, Yahoo! Mail.” There is a high likelihood that the purpose of this is to distribute spam messages.
Unlike many of the IoT botnets at large today, BCMUPnP_Hunter is not based upon source code that has been leaked online, and appears to have been created from scratch. It has a complicated multi-stage infection mechanism that sets it apart from the crowd. In the opinion of the researchers who discovered the botnet, “it seems that the author has profound skills and is not a typical script kid.”
One concern expressed by the researchers is that since September researchers have seen the BCMUPnP_Hunter botnet silently grow in its strength.
In total, 3.37 million unique IP addresses have been identified as the source of the botnet’s scans, although it is likely that the same infected devices changed their IP addresses over time. Usually, the number of daily active devices recruited into the botnet is thought to be around 100,000 around the world, with the highest concentration in India, China, and the United States.
The botnet’s search for new victims picks up every 1-3 days, with typically 100,000 devices actively scanning on each occasion.
So, what can be done? Well, there are only two possible reasons that a botnet can exploit this five-year-old UPnP vulnerability.
Either, users have not installed a security update onto their routers…
… or vendors have not issued an update for the vulnerable routers.
If you are able, you should ensure that your router is running the latest firmware update and is fully patched against any known security vulnerabilities.
And if you are not able to find a method for updating your router, you may wish to contact whoever sold you the router to find out how they are planning to keep it updated as new threats are found (and as old five-year-old vulnerabilities continue to cause headaches).
Additionally, you may wish to consider disabling UPnP entirely. If you don’t have a need for Universal Plug and Play, you’ll be reducing your attack surface by turning the feature off completely.
So far, 116 different router models have been identified as recruited into the botnet – including devices branded with familiar names such as CenturyLink, D-Link, iiNet, Linksys, NetComm, TP-Link, Technicolor, ZTE, and ZyXEL.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.