The next internet-crashing botnet is slowly starting to wake up. Since late December, a botnet known as Satori has been infecting new endpoints and generally showing the signs of a disaster waiting to happen. How should you brace yourself for the next large-scale DDoS attack?
A Dormant Botnet Reawakens
The last time we saw the Satori botnet was in 2016-back when it was still called Mirai. We know that two years is a long time in information security, but the Mirai botnet incident is hard to forget. Using millions of infected IoT devices, such as routers, security cameras, and smart thermostats, the Mirai botnet was able to crash the fiber backbone for the almost the entire U.S. eastern seaboard. The attack shut down the internet for hours.
Satori isn't Mirai, but it's a close cousin. As opposed to Mirai, which needed to download a separate component before it became active, Satori spreads like a worm. Infected hosts scan open ports on routers and other IoT devices, looking for specific vulnerabilities. To date, three kinds of vulnerable devices have been identified:
- Huawei Home Gateway routers may contain an exploitable remote code execution bug. Little is known about the vulnerability, and no patch is currently available.
- Realtek routers contain a similar vulnerability, but it has been patched in many systems, leading to a lower rate of success for this exploit.
- DASAN Networks, a little-known router manufacturer in South Korea, operates about 40,000 routers. All of these routers appear to be vulnerable to Satori, but the manufacturer has not responded to security researchers and appears unwilling to issue a patch.
Needless to say, anyone currently running these devices should take steps to immediately isolate, patch or replace them if necessary.
In addition to infecting routers, the operator of the Satori network has found a profitable sideline. Satori malware recently targeted and infected cryptocurrency mining software. By exploiting vulnerabilities in a software program known as Claymore, the malware was able to overwrite cryptocurrency wallet addresses with those belonging to the malware operator. Therefore, all the currency being mined by the associated machine will be diverted to the attacker. The Satori botnet has already raised more than $2,000 USD worth of the cryptocurrency known as Ethereum using this method.
A Multi-Purpose Botnet?
The use of this particular botnet to mine cryptocurrency suggests that its operator has more in mind than simple DDoS attacks. While previous botnet operators have been happy to use their networks for the purpose of extortion, other attacks in late 2017 and early 2018 suggest that this business model might be beginning to change.
Hackers have inaugurated a number of schemes to steal or parasitically mine various cryptocurrencies. Several groups have begun using malicious adware to infect websites and hijack visitors' CPUs to mine Bitcoin. Another group was able to infect Tesla Motors' public cloud by hijacking an undefended Kubernetes console.
While the individual processing power of a single router is insignificant, a network of tens of thousands of bots might be able to generate a great deal of cryptocurrency on aggregate. While these attacks might be relatively harmless - after all, they don't involve stealing or encrypting data - the potential for mass nuisance is undeniable.
How to Keep an Eye Out for Cryptojacking and DDoS Attacks
If you suspect that an attacker has hijacked one of your IoT devices - or if you think that someone is aiming a DDoS attack against you - you'll want to know right away. These types of sophisticated attacks keep growing, and it's no longer OK to have blind spots in your network and application infrastructure.
DDoS attacks and cryptojacking will both lead to noticeable network and application slowdowns, which will have a cascading effect in terms of productivity and customer responsiveness.