Palo Alto Networks has discovered an updated Gafgyt variant trying to infect thousands of small office or home wireless routers. An updated variant of the Gafgyt malware has rendered 32,000 Wi-Fi routers around the world potentially vulnerable to various exploits.
Unit 42, the Security research team at Palo Alto Networks, discovered the variant in September 2019 during a IoT vulnerability exercise. The Gafgyt botnet was initially uncovered in 2014 and has proven a popular tool for those launching large-scale distributed denial of service (DDoS) attacks.
The new Gafgyt variant, detected in September, is a competitor of the JenX botnet. JenX also leverages remote code execution exploits to access and recruit botnets to attack gaming servers, especially those running the Valve Source engine, and launch a denial-of-service (DoS) attack. This Gafgyt variant targets vulnerabilities in three wireless router models, two of which it has in common with JenX. The two share CVE-2017-17215 (in Huawei HG532) and CVE-2014-8361 (in Realtek’s RTL81XX chipset). CVE-2017-18368 (in Zyxel P660HN-T1A) is a new addition to Gafgyt.
Gafgyt contains a payload that can attack game servers running the Valve Source Engine, an engine that runs games such as Half-Life and Team Fortress 2, among others. The research notes that this is not an attack on the Valve corporation itself “because anyone can run a server for these games on their network”.
The payload behind the Valve server attacks is widely used to cause what are known as distributed reflection denial of service attacks (DrDoS).
“The difference with this one is the developers added a new vulnerability to it that wasn’t present in the previous one,” Miller-Osborn says. “That added to its potential reach.” Shodan scans indicate at least 32,000 Wi-Fi routers are potentially vulnerable to these exploits.