D-Link, Dasan Routers Under Attack In Yet Another Assault

Researcher observed on Thursday a massive uptick in exploit attempts from over 3,000 different source IPs targeting model D-Link 2750B and Dasan GPON routers running a version of the GPON firmware.

“A successful recruitment campaign has the potential to arm the associated threat actor(s) with DDoS artillery and facilitate espionage of private browsing habits,” wrote Keegan Keplinger, threat intelligence researcher with eSentire. “Botnets built using compromised routers may eventually be offered as a service to other threat actors, used for extorting DDoS victims among other uses.”

In an interview with Keplinger, he said the sustained attacks lasted 10 hours on Thursday. He said an unspecified single actor was targeting a known command-injection bug (CVE-2018-10562) used in routers running the GPON firmware version ZIND-GPON-25xx.

“Command injection can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it’s quite simple to execute commands and retrieve their output,” the CVE description of the vulnerability explained.

It did not take long for miscreant to spot and add this to their weapon library, we have captured activity utilizing CVE-2018-10561 CVE-2018-10562 with an active C2 up and running in VN. We will share more details soon. https://t.co/I7lE3gRWr5

Today, researchers at Palo Alto’s Unit 42 also revealed separate Mirai and Gafgyt IoT/Linux botnet campaigns that occurred that month, exploiting both the CVE-2018-10562 and CVE-2018-10561 bugs.

“The end of May 2018 has marked the emergence of three malware campaigns built on publicly available source code for the Mirai and Gafgyt  malware families that incorporate multiple known exploits affecting Internet of Things (IoT) devices,” wrote Ruchna Nigam, senior threat researcher with Unit 42.

ESentire’s Keplinger told Threatpost the activity observed this week came from more than 3,000 IPs located in Egypt and coordinated by a single-source command-and-contril that is unknown. No specific industry or geography is being singled out, he said.

“A sample of packets from various source IPs involved in this event pointed to a single C2 server hosting malware that appeared. VirusTotal results for the malware indicated similarities with the Mirai botnet.  Variants of Mirai code have been spotted in the Satori botnet,” according to a breakdown of the attacks by Keplinger.

Keplinger recommends users of the effected routers “disable remote access, ensure default login credentials are not being used, and disable universal plug and play capabilities.”