The mystery of the recent surge in port 8000 scan activity has been solved today by security researches from Qihoo 360 Netlab, who tracked this week's mystery traffic to an old foe —the Satori IoT botnet.
According to researchers, the publication of proof-of-concept (PoC) code on June 8 for a popular web server software package drew the attention of the Satori crew, who integrated that particular exploit into their botnet's attack routine.
The PoC code was for a buffer overflow vulnerability (CVE-2018-10088) in XionMai uc-httpd 1.0.0, a lightweight web server package often found embedded inside the firmware of routers and IoT equipment sold by some Chinese vendors.
The exploit allows an attacker to send a malformed package via ports 80 or 8000 and execute code on the device, effectively taking it over.
Scans for devices that had port 8000 exposed via their WAN interface started a day after the PoC's publication but picked up yesterday, June 14. The sudden surge in port 8000 activity turned the heads of multiple security experts specialized in botnet tracking, as it came out of nowhere and at an incredible scale.
What's up with all the 8000/tcp traffic?— Bad Packets Report (@bad_packets) June 14, 2018
Here's a link to the pcap file (traffic to & from port 8000). Definitely captured some traffic but nothing jumped out to me as malicious. Unusual, but not malicious. Always possible that I missed something, though.https://t.co/Ktooo5tryc— ExecuteMalware (@executemalware) June 14, 2018
According to honeypot data from Qihoo 360 Netlab and SANS ISC, port 8000 scans started to die down today. Unfortunately, it wasn't because Satori was failing to infect devices, but because the botnet's authors added support for a second exploit.
This second exploit is also based on PoC code published online, but last month. The PoC is for a vulnerability affecting D-Link DSL-2750B routers, which can be exploited via ports 80 and 8080.
Naturally, scan activity targeting these two ports also grew similarly to the one seen on port 8000, and the Satori crew is trying to corral as many routers as it can before other botnets join the fold.
After previously targeting GPON routers, and with the addition of these two new exploits, Satori continues to grow with every day. The botnet has already survived a takedown attempt last December, and its authors seem intent on continuing on their current path.
While some IoT botnets try to avoid the limelight by just re-routing traffic for other crooks, Satori is more of an in-your-face botnet, used to hijack cryptocurrency miners and steal funds, or launch disruptive DDoS attacks. Just this week, Qihoo 360 Netlab says Satori carried out two such attacks [1, 2].
Indicators of compromise for the recent Satori versions are available in Netlab's recent report.