Dasan and D-Link routers targeted by apparent botnet in new wave of exploit attacks
Dasan and D-Link routers targeted by apparent botnet in new wave of exploit attacks

An apparent botnet comprised of more than 3,000 separate source IPs generated a large, sudden spike in exploit attacks on July 19, targeting D-Link 2750B and certain Dasan GPON (Gigabit Passive Optical Network) small and home office routers.

The operation may have been an attempt to compromise routers so they could be leveraged to launch distributed denial of service attacks, distribute malicious content or spy on browsing activity, suggests the eSentire Threat Intelligence team, which authored a corresponding blog post and threat advisory after observed the incident while monitoring its customers.

Reportedly, the attackers sought to capitalize on a pair of vulnerabilities that collectively can result in remote code execution, and for which there is only an unofficial patch available. The vulnerabilities -- CVE-2018-10561, an authentication bypass flaw and CVE-2018-10562, a command injection bug -- were discovered and publicly disclosed in May 2018, and have since been used in various campaigns. Dasan routers using ZIND-GPON-25xx firmware, some Dasan H650 series GPON routers, and D-Link DSL-2750B routers with firmware 1.01 to 1.03 are prone to the exploits.

"The coordination of the botnet suggests a single entity controlled the 3000+ source IPs that tripped router exploit signatures over a ten-hour span," notes eSentire. The managed detection and response company also notes that a VirusTotal analysis indicates that the malware involved in the campaign had similarities to the Mirai botnet -- suggesting this could have possibly been the work of the Satori botnet.

As a preventative measure, eSentire recommends disabling remote access and universal plug-and-play on vulnerable routers, and changing any default login credentials.

In other Internet of Things news, IoT security company Armis has reported in a new blog post that an estimated 496 million workplace devices are vulnerable to decade-old DNS rebinding attacks. To execute these attacks, actors compromise web pages to run a client-side script that lets them hijack victims' web browsers in order to interact with vulnerable network devices on the local network.

"From smart TVs to printers, digital assistants to IP phones and more, the exposure leaves organizations vulnerable to compromise, data exfiltration, and to devices getting hijacked for another Mirai-like attack," warns the report, written by VP of research Ben Seri.

According to Armis, 87 percent of switches, routers and access points -- 14 million in total -- are vulnerable to DNS rebinding. And there are more vulnerable printers than any other category device -- 165 million in total, or 66 percent of all printers. Other susceptible equipment includes streaming media players and speakers (78 percent of them, or 5.1 million), IP phones (77 percent of them, or 124 million), IP cameras (75 percent of them, or 160 million) and smart TVs (57 percent of them, or 28.1 million).

"Because of the widespread use of the types of devices listed above within enterprises, Armis can say that nearly all enterprises are susceptible to DNS rebinding attacks," states Seri.