At least five IoT botnets are fighting each other and attempting to infect Dasan GPON routers, according to Chinese cyber-security firm Qihoo 360 Netlab.
The devices they are trying to take over are GPON-capable routers manufactured by South Korean vendor Dasan. GPON stands for Gigabit Passive Optical Network and is a type of telecommunications technology for supporting internet connections via fiber optics lines.
Earlier this month, security researchers disclosed two vulnerabilities (CVE-2018-10561 and CVE-2018-10562) in these devices that attackers could exploit and take over the routers. The vulnerabilities came quickly under attack.
Now, Netlab researchers, the ones who spotted the first hack attempts, are saying that attacks exploiting these flaws and targeting Dasan GPON routers have intensified as more botnets joined the fold.
But in what amounts to a comedy of errors, none of the five botnets are actually infecting devices. According to Netlab, the exploits of four botnets (Hajime, Mirai, Muhstik, and Satori) contain errors and are broken, preventing the botnets from bringing the routers under their control.
Mettle's exploit works, but Netlab says the botnet's command and control server went down and the only botnet capable of infecting Dasan GPON routers appears to have taken a break at the worst time possible.
But Netlab researchers aren't wasting any time waiting for these botnets to fix their code. Currently, the Chinese firm is working to have at least one of these botnets brought down.
"We are taking joint actions with the security community to shut down parts of [Muhstik's] servers," a Netlab spokesperson told Bleeping Computer in a private conversation earlier today.
As for router vendor, Dasan has also looked into this matter following the initial report, which claimed that over one million routers were exposed to hacks.
The original number of affected devices was reported based on a generic Shodan search query, meaning many devices that may not have been vulnerable to the two exploits were also included in the search results.
The company told Bleeping Computer in an email that only "ZNID-GPON-25xx series and certain H640 series GPON ONTs, when operating on specific software releases, are affected by this vulnerability," and not all of its GPON-capable devices.
"After an internal investigation, we have determined the potential impact is much more limited in scope than previously reported in the media," a Dasan spokesperson told us.
"According to DZS sales records, combined with field data gathered to date, we have estimated that the number of GPON ONT units that may be potentially impacted to be less than 240,000."
The company also says this number may be even smaller, as the devices vulnerable to the two exploits are quite old —first released in 2009— and many may have been replaced with newer Dasan GPON routers that are not affected by these two flaws but would still be included in Shodan search results.
As for patching the affected devices, Dasan doesn't see this happening, at least not right now.
"The DZS ZNID-GPON-25xx and certain H640-series ONTs, including the software that introduced this vulnerability, were developed by an OEM supplier and resold by DZS," the Dasan spokesperson told Bleeping Computer.
"While designed and released more than 9 years ago, most of these products are now well past their sustainable service life. Because software support contracts are no longer offered for most of these products, we do not have direct insight to the total number of units that are still actively used in the field."
Dasan also added that they have informed all customers who purchased the affected models about the discovered flaws.
"We are working with each customer to help them assess methods to address the issue for units that may still be installed in the field. It will be up to the discretion of each customer to decide how to address the condition for their deployed equipment," Dasan said.
In the meantime, the researchers who discovered this flaw have released an unofficial patch to mitigate the threat. Owners of affected routers should have a security expert independently verify the patch's code before installing it on their routers.