Bots Compete To Attack Vulnerable GPON Fiber Routers

A fiber router. (Image: file photo)

Several botnet operators are targeting a popular but vulnerable fiber router, which can be easily hijacked thanks to two authentication bypass and command injection bugs.

ZDNet first reported the bugs last week. In case you missed it: two bugs allowed anyone to bypass the router’s login page and access pages within — simply by adding “?images/” to the end of the web address on any of the router’s configuration pages. With near complete access to the router, an attacker can inject their own commands, running with the highest “root” privileges.

In other words, these routers are prime targets for hijacking by botnet operators.

Now, a new report by China-based security firm Netlab 360 says at least five botnet families have been “competing for territory” to target the devices.

All five botnets — Muhstik, Mirai, Hajime, Satori, and Mettle — have developed exploits to target the fiber routers, but so far none of the botnets have successfully hacked and hijacked the routers.

The security researchers say it could be a matter of time.

“Fortunately, the current attack payloads from muhstik, mirai, hajime, and satori, have been tested to be broken and will not implant malicious code […] and mettle’s C2 server is now offline, although it could really finish the implant during its appearance,” said the researchers.

The routers, developed by tech firm DZS, were built close to a decade ago, according to a company spokesperson, and are no longer on sale. The company said that only 240,000 routers were affected, but Shodan put the figure at over one million devices at the time of our first report. Since then, the number has dropped below the million mark.

The company said, however, that it does “not have direct insight to the total number of units that are still actively used in the field.”

Even though its routers are under attack, DZS has indicated that it will not fix the vulnerabilities, but will work “with each customer to help them assess methods to address the issue for units that may still be installed in the field.” The company said it will “be up to the discretion of each customer to decide how to address the condition for their deployed equipment.”

Routers are a prime target for hackers to abuse because they are notoriously prone to security flaws.

Earlier this month, both UK and US authorities warned that Russian hackers are using compromised routers to lay the groundwork for future attacks. Hackers are exploiting weak router security — often by simply using the default username and password — to conduct cyber-espionage.

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More

ZDNET INVESTIGATIONS

Read More HERE

Leave a Reply