Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Botnets Target Zero-Days in GPON Routers

Two unpatched vulnerabilities in Dasan’s Gigabit-capable Passive Optical Network (GPON) routers are being exploited by Internet of Things (IoT) botnets, security researchers warn.

Two unpatched vulnerabilities in Dasan’s Gigabit-capable Passive Optical Network (GPON) routers are being exploited by Internet of Things (IoT) botnets, security researchers warn.

Tracked as CVE-2018-10561 and CVE-2018-10562, the two vulnerabilities were publicly disclosed in early May and impact hundreds of thousands of devices. The flaws can be exploited remotely, providing an attacker with full control of the impacted devices.

South Korea-based Dasan Networks hasn’t released a fix for these issues as of now, yet the first attempts to exploit the bugs were registered within days after the disclosure. An unofficial patch for the bugs was made available a couple of weeks back.

Last week, Fortinet alerted on Wicked, a new variant of Mirai that has added exploits for the GPON vulnerabilities to its arsenal. The security firm also revealed that a botnet iteration called Omni was being dropped onto the compromised devices.

According to researchers from Qihoo 360 Netlab, there were five botnets targeting the two GPON vulnerabilities last week, namely Hajime, Mettle, Mirai, Muhstik, and Satori.

Now, the security researchers reveal that an older botnet called TheMoon has joined the GPON party as well. Active since at least 2014, the botnet has merged at least 6 different IoT exploits last year, and appears to continue to evolve.

“A very special thing about this round is the attacking payload. It is different from all previous ones, so it looks like a 0day. And we tested this payload on two different versions of GPON home router, all work. All these make TheMoon totally different, and we chose not to disclose the attack payload details,” Netlab notes.

Trend Micro also reports Mirai-like scanning activity in Mexico, with GPON routers being the target. This is unsurprising, given that most of the Internet-exposed Dasan routers affected by the two flaws are located in Mexico, Kazakhstan, and Vietnam.

Advertisement. Scroll to continue reading.

“Unlike the previous activity, the targets for this new scanning procedure are distributed. However, based on the username and password combinations we found in our data, we concluded that the target devices still consist of home routers or IP cameras that use default passwords,” Trend Micro notes.

However, the attacks also attempt to compromise the targeted devices using vulnerabilities, the security firm notes. A downloading script is used to fetch malware variants for four different architectures, namely ARM, ARMv7, MIPS and MIPS little-endian, common architectures in embedded and IoT devices.

Related: “Wicked” Variant of Mirai Botnet Emerges

Related: Unofficial Patch Released for Zero-Days Affecting Dasan Routers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.