The mystery of the recent surge in port 8000 scan activity has been solved today by security researches from Qihoo 360 Netlab, who tracked this week's mystery traffic to an old foe —the Satori IoT botnet.

According to researchers, the publication of proof-of-concept (PoC) code on June 8 for a popular web server software package drew the attention of the Satori crew, who integrated that particular exploit into their botnet's attack routine.

XionMai PoC results in a spike of port 8000 scans

The PoC code was for a buffer overflow vulnerability (CVE-2018-10088) in XionMai uc-httpd 1.0.0, a lightweight web server package often found embedded inside the firmware of routers and IoT equipment sold by some Chinese vendors.

The exploit allows an attacker to send a malformed package via ports 80 or 8000 and execute code on the device, effectively taking it over.

Scans for devices that had port 8000 exposed via their WAN interface started a day after the PoC's publication but picked up yesterday, June 14. The sudden surge in port 8000 activity turned the heads of multiple security experts specialized in botnet tracking, as it came out of nowhere and at an incredible scale.

Port 8000 scans

Port 8000 scans

Satori incorporates D-Link exploit

According to honeypot data from Qihoo 360 Netlab and SANS ISC, port 8000 scans started to die down today. Unfortunately, it wasn't because Satori was failing to infect devices, but because the botnet's authors added support for a second exploit.

This second exploit is also based on PoC code published online, but last month. The PoC is for a vulnerability affecting D-Link DSL-2750B routers, which can be exploited via ports 80 and 8080.

Naturally, scan activity targeting these two ports also grew similarly to the one seen on port 8000, and the Satori crew is trying to corral as many routers as it can before other botnets join the fold.

After previously targeting GPON routers, and with the addition of these two new exploits, Satori continues to grow with every day. The botnet has already survived a takedown attempt last December, and its authors seem intent on continuing on their current path.

While some IoT botnets try to avoid the limelight by just re-routing traffic for other crooks, Satori is more of an in-your-face botnet, used to hijack cryptocurrency miners and steal funds, or launch disruptive DDoS attacks. Just this week, Qihoo 360 Netlab says Satori carried out two such attacks [1, 2].

Indicators of compromise for the recent Satori versions are available in Netlab's recent report.

Related Articles:

Bushido-Powered DDoS Service Whipped Up from Leaked Code

New Iot Botnet Torii Uses Six Methods for Persistence, Has No Clear Purpose

Necurs Botnet Distributing Sextortion Email Scams

Remote Code Execution Flaws Found in FreeRTOS - Popular OS for Embedded Systems

New Reports Show Increased CyberThreats, User Risks Remain High