The Satori botnet is up and at 'em.
"Satori" is an evolved form of Mirai. Security firm Qihoo 360 Netlab reported discovering that the large botnet became active early in the week. Estimates of its size run to 280,000 bots, mostly routers.
The original versions of Mirai used Telnet scanners to find vulnerable devices. Satori doesn't—Qihoo 360 Netlabs says the botnet uses two embedded exploits that seek to connect with devices on ports 37215 and 52869. As Bleeping Computer points out, "Effectively, this makes Satori an IoT worm, being able to spread by itself without the need for separate components" (Bleeping Computer).
Qihoo 360 NetLabs thinks the exploit that connects to port 37215 is a zero-day. They've been tracking it and have it under analysis, but they're unwilling to discuss it further, for now. CenturyLink thinks the botnet may be abusing a zero-day in Huawei Gateway Home Routers.
There's less mystery surrounding the exploit that's hitting port 52869. That one is for a well-known, and relatively old, bug in some Realtek devices, CVE 2014-8361. Many Realtek devices have been patched for this one, which would suggest why this exploit has been the less successful of the two.
There are some similarities between Satori and the Mirai variant that hit Argentina over the weekend, but researchers are tracking it as a distinct threat.
And nothing yet, by the way, from Reaper, which has remained curiously quiet since its discovery (Cybrary). In their commentary on Satori, Bitdefender offers some suggestions that would help protect devices from infestation by any Internet-of-things botnet. They're not, of course, foolproof, but they do represent sensible hygienic measures. First, change IoT device default passwords. Second, update those devices with any security patches as they become available. Third, avoid enabling Universal Plug and Play on routers. And, finally, when buying an IoT device, purchase it from a company with a reputation for good product security.