Multiple botnets are targeting a zero-day vulnerability in fiber routers in an attempt to ensnare them and leverage their power for malicious purposes, security researchers warn.
The security bug impacts Netlink Gigabit Passive Optical Networks (GPON) routers and could be abused for remote command execution. Proof-of-concept (PoC) code targeting the vulnerability has been available online for nearly a month.
Security researchers with Qihoo 360’s Netlab have observed multiple attempts to target the 0day, some before the PoC was published, starting with the Moobot botnet that successfully used an exploit for the vulnerability in February.
360 Netlab says that, after identifying the 0day in March, they contacted the vendor, but was told the default configuration on the targeted device should not be impacted. The researchers dispute these claims.
The attacks have intensified over the past several weeks, and multiple botnets are targeting the security flaw. Devices made by nine vendors appear to be affected, likely because they use the same OEM.
The Gafgyt and Fbot (Satori) botnets were observed leveraging the PoC exploit, albeit failing to successfully infect devices, mainly because the PoC needs to be chained with another vulnerability to compromise a router, the security researchers say.
To date, only Moobot appears to be actively exploiting the security flaw, as it is using its own exploit. Those relying on the publicly available PoC exploit for infection will continue to fail unless they figure out what other vulnerability to use for a successful attack.
“We recommend that users check and update their device firmware in a timely manner, and check whether there are default accounts that should be disabled,” the researchers say.
Related: Botnet Targets Critical Vulnerability in Grandstream Appliance
Related: Microsoft Cracks Infrastructure of Infamous Necurs Botnet
Related: Zero-Day Vulnerabilities in LILIN DVRs Exploited by Several Botnets

More from Ionut Arghire
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Malicious NPM, PyPI Packages Stealing User Information
- Boxx Insurance Raises $14.4 Million in Series B Funding
- Prilex PoS Malware Blocks NFC Transactions to Steal Credit Card Data
- 30k Internet-Exposed QNAP NAS Devices Affected by Recent Vulnerability
Latest News
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- UK Car Retailer Arnold Clark Hit by Ransomware
- Dealing With the Carcinization of Security
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Cyber Insights 2023 | Supply Chain Security
- Cyber Insights 2023 | Regulations
