Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Several Botnets Using Zero-Day Vulnerability to Target Fiber Routers

Multiple botnets are targeting a zero-day vulnerability in fiber routers in an attempt to ensnare them and leverage their power for malicious purposes, security researchers warn.

Multiple botnets are targeting a zero-day vulnerability in fiber routers in an attempt to ensnare them and leverage their power for malicious purposes, security researchers warn.

The security bug impacts Netlink Gigabit Passive Optical Networks (GPON) routers and could be abused for remote command execution. Proof-of-concept (PoC) code targeting the vulnerability has been available online for nearly a month.

Security researchers with Qihoo 360’s Netlab have observed multiple attempts to target the 0day, some before the PoC was published, starting with the Moobot botnet that successfully used an exploit for the vulnerability in February.

360 Netlab says that, after identifying the 0day in March, they contacted the vendor, but was told the default configuration on the targeted device should not be impacted. The researchers dispute these claims.

The attacks have intensified over the past several weeks, and multiple botnets are targeting the security flaw. Devices made by nine vendors appear to be affected, likely because they use the same OEM.

The Gafgyt and Fbot (Satori) botnets were observed leveraging the PoC exploit, albeit failing to successfully infect devices, mainly because the PoC needs to be chained with another vulnerability to compromise a router, the security researchers say.

To date, only Moobot appears to be actively exploiting the security flaw, as it is using its own exploit. Those relying on the publicly available PoC exploit for infection will continue to fail unless they figure out what other vulnerability to use for a successful attack.

“We recommend that users check and update their device firmware in a timely manner, and check whether there are default accounts that should be disabled,” the researchers say.

Related: Botnet Targets Critical Vulnerability in Grandstream Appliance

Related: Microsoft Cracks Infrastructure of Infamous Necurs Botnet

Related: Zero-Day Vulnerabilities in LILIN DVRs Exploited by Several Botnets

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.