Delaware, USA – November 8, 2018 – The BCMPUPnP_Hunter botnet was first discovered two months ago, and currently it has more than 100,000 devices. Researchers from Netlab Qihoo 360 determined that the botnet operators exploit the old and well-known vulnerability in the Broadcom UPnP SDK software used in thousands of different manufacturers’ router models, which allows an unauthorized attacker to execute malicious code on the router remotely. This botnet is not the first one that exploits this vulnerability. However, the BCMPUPnP_Hunter code indicates that this is an entirely new malware, and its authors are skilled malware authors. Infected routers are scattered around the world, but most of them are in India, China and the United States. After infecting a device, malware begins scanning the network for other vulnerable routers. It also has another function that allows the infected device to be used as a proxy to establish a connection between botnet operators and remote IP addresses. In particular, BCMUPnP_Hunter connects to IP addresses of email services, such as Yahoo, Outlook and Hotmail.
According to the report, despite the age of the vulnerability, there are still about 400,000 vulnerable devices in the world. It is recommended to install the latest firmware version on routers or completely disable UPnP if applicable to secure your network against this threat. To enable quick decisions on network data flows, traffic spikes and deviations, you can use Netflow Security Monitor rule pack for your SIEM: https://my.socprime.com/en/integrations/netflow-security-monitor-hpe-arcsight