32,000+ WiFi Routers Potentially Exposed to New Gafgyt Variant

Researchers detect an updated Gafgyt variant that targets flaws in small office and home wireless routers from Zyxel, Huawei, and Realtek.

A newly discovered variant of the Gafgyt Internet of Things (IoT) botnet is attempting to infect connected devices, specifically small office and home wireless routers from brands that include Zyxel, Huawei, and Realtek.
Gafgyt was first detected in 2014. Since then, it has become known for large-scale distributed denial-of-service attacks, and its many variants have
grown
to target a range of businesses across industries. Starting in 2016, researchers with Unit 42 (formerly Zingbox security research) noticed wireless routers are among the most common IoT devices in all organizations and prime targets for IoT botnets.
When a botnet strikes, it can degrade the production network and reputation of a companys IP addresses. Botnets gain access to connected devices by using exploits instead of attempting to log in via unsecured services. As a result, a botnet can more easily spread through IoT devices even if a businesss admins have disabled unsecured services and use strong login credentials.
The new Gafgyt variant, detected in September, is a competitor of the JenX botnet. JenX also leverages remote code execution exploits to access and recruit botnets to attack gaming servers, especially those running the Valve Source engine, and launch a denial-of-service (DoS) attack. This Gafgyt variant targets vulnerabilities in three wireless router models, two of which it has in common with JenX. The two share CVE-2017-17215 (in Huawei HG532) and CVE-2014-8361 (in Realteks RTL81XX chipset). CVE-2017-18368 (in Zyxel P660HN-T1A) is a new addition to Gafgyt.
Gafgyt was developed off JenX botnet code, which just highlights how much interest there is when it comes to building botnets within that community, says Jen Miller-Osborn, deputy director of threat intelligence at Unit 42. This evolution of Gafgyt indicates a dedicated group of people is working to update these botnets and make them more dangerous, she notes. Most of the time when a botnet is updated, it typically means a new CVE has been added to its lineup.
The difference with this one is the developers added a new vulnerability to it that wasnt present in the previous one, Miller-Osborn says. That added to its potential reach. Shodan scans indicate at least 32,000 Wi-Fi routers are potentially vulnerable to these exploits.
Gafgyt uses three scanners in an attempt to exploit known remote code execution bugs in the aforementioned routers. These scanners replace the typical dictionary attacks employed by other IoT botnets, which typically aim to breach connected devices through unsecured services.
The exploits are designed to work as binary droppers, which pull a corresponding binary from a malicious server depending on the type of device its trying to infect. The new Gafgyt variant is capable of conducting different types of DoS attacks at the same time, depending on the commands it receives from the command-and-control server, Unit 42 researchers say in a
blog post
on the findings.
Gafgyt Sets Sights on Gamers
One of the DoS attacks this Gafgyt variant can perform is VSE, which contains a payload to attack game servers running the Valve Source Engine. This is the engine that runs games like Half-Life, Team Fortress 2, and others. Researchers emphasize this isnt an attack on Valve, as anyone can run a server for the games on their own network. This attack targets the servers.
With the rest of the DoS attack methods, operators are targeting other servers hosting popular games such as Fortnite, Unit 42 found. Miller-Osborn says the purpose in targeting gaming servers is mostly to be an annoyance. Theyre not going to make a lot of money doing it, she adds.
While gaming servers have become popular victims, the diversity of IoT devices targeted in these attacks has grown, researchers say. These is nothing about these routers that makes them more likely to be owned by gamers; home users and small businesses are also at risk.
Once theyre compromised, theyre used to do malicious activity, Miller-Osborn explains. The routers themselves could be owned by anyone. The biggest thing, especially with all these IoT malware families, is for people to keep in mind this is probably just going to get worse.
An attack on gaming servers is one thing, she says. Its typically a DoS incident and people arent getting hurt. However, if an attacker can effectively compromise a router, they can also move into the network and conduct more nefarious activity — for example, data theft.
These attacks highlight the fact that there are a lot of devices, especially routers, active on the Internet and vulnerable to a number of CVEs. The new Gafgyt variant, for example, targets two router vulnerabilities from 2017 and one from 2014, Miller-Osborn points out. When it comes to routers, you dont necessarily see them getting patched, she notes. Outside the security community, few people will know when they should update their routers or if theyve been hit by a botnet — unless, of course, their Internet service provider tells them.
Instagram: New Botnet Market
Cybercriminals are also finding new ways to sell botnets, researchers report. Once an activity limited to the Dark Web, the buying and selling of malware has surfaced to social networks.
In one attack analyzed, the new Gafgyt variant looks for competing botnets on the same device and tries to kill them. It does this by looking for certain keywords and binary names present in other IoT botnet variants. Researchers noticed some strings related to other IoT botnets (Mirai, Hakai, Miori, Satori) and some corresponded to Instagram usernames. The team built some fake profiles and reached out, only to find theyre selling botnets in their Instagram profiles.
Attackers offered the researchers source code for botnets. Unit 42 has contacted Instagram to report these profiles; it also reported malicious sites being used to handle botnet subscriptions. Its pretty common for these sales to happen on social media, says Miller-Osborn, and a constant fight for social networks to take down malicious accounts.
People want to market their devices and services, and one of the easiest ways to do that is on social media, she explains. While it makes things simple for attackers, removing the accounts is a constant game of whack-a-mole for social media companies.
Related Content:
9 Ways Data Vampires Are Bleeding Your Sensitive Information
As Phishing Kits Evolve, Their Lifespans Shorten
8 Trends in Vulnerability and Patch Management
Old RAT, New Moves: Adwind Hides in Java Commands to Target Windows
This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for
more information
and, to register,
here
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
32,000+ WiFi Routers Potentially Exposed to New Gafgyt Variant