Several Botnets Using Zero-Day Vulnerability to Target Fiber Routers

Multiple botnets are targeting a zero-day vulnerability in fiber routers in an attempt to ensnare them and leverage their power for malicious purposes, security researchers warn.

The security bug impacts Netlink Gigabit Passive Optical Networks (GPON) routers and could be abused for remote command execution. Proof-of-concept (PoC) code targeting the vulnerability has been available online for nearly a month.

Security researchers with Qihoo 360’s Netlab have observed multiple attempts to target the 0day, some before the PoC was published, starting with the Moobot botnet that successfully used an exploit for the vulnerability in February.

360 Netlab says that, after identifying the 0day in March, they contacted the vendor, but was told the default configuration on the targeted device should not be impacted. The researchers dispute these claims.

The attacks have intensified over the past several weeks, and multiple botnets are targeting the security flaw. Devices made by nine vendors appear to be affected, likely because they use the same OEM.

The Gafgyt and Fbot (Satori) botnets were observed leveraging the PoC exploit, albeit failing to successfully infect devices, mainly because the PoC needs to be chained with another vulnerability to compromise a router, the security researchers say.

To date, only Moobot appears to be actively exploiting the security flaw, as it is using its own exploit. Those relying on the publicly available PoC exploit for infection will continue to fail unless they figure out what other vulnerability to use for a successful attack.

“We recommend that users check and update their device firmware in a timely manner, and check whether there are default accounts that should be disabled,” the researchers say.

Related: Botnet Targets Critical Vulnerability in Grandstream Appliance

Related: Microsoft Cracks Infrastructure of Infamous Necurs Botnet

Related: Zero-Day Vulnerabilities in LILIN DVRs Exploited by Several Botnets

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags: