Two vulnerabilities affecting over one million routers, and disclosed earlier this week, are now under attack by botnet herders, who are trying to gather the vulnerable devices under their control.
Attacks started yesterday, Thursday, May 3, according to Netlab, the network security division of Chinese cyber-security vendor Qihoo 360.
It did not take long for miscreant to spot and add this to their weapon library, we have captured activity utilizing CVE-2018-10561 CVE-2018-10562 with an active C2 up and running in VN. We will share more details soon. https://t.co/I7lE3gRWr5— 360 Netlab (@360Netlab) May 3, 2018
Exploitation of these two flaws started after on Monday, April 30, an anonymous researcher published details of the two vulnerabilities via the VPNMentor blog.
The most ludicrous of these two flaws is the first, which basically allows anyone to access the router's internal settings by appending the "?images" string to any URL, effectively giving anyone control over the router's configuration.
By combining these two issues, the anonymous researcher said he was able to bypass authentication and execute code on vulnerable devices. A video by the VPNMentor crew summarizes the findings.
These vulnerabilities affect GPON-capable routers manufactured by South Korean vendor Dasan. GPON stands for Gigabit Passive Optical Network and is a type of telecommunications technology for supporting home internet connections via optic fiber lines. As such, these devices are mostly provided to internet service providers (ISPs), who then distribute them to their customers.
The researcher said he was able to identify over one million of the vulnerable devices deployed online, most of which are located in large chunks in Mexico, Kazakhstan, and Vietnam, countries where ISPs appear to have rolled out their infrastructure on top of Dasan GPON devices.
360 Netlab researchers said they've identified one botnet operating from a command-and-control server located in Vietnam that is currently scanning and attempting to exploit these devices. The company promised more detailed information about these attacks in the coming days, on its blog.
UPDATE: We an updated article on these attacks, including a response from Dasan.