Increase in Attacks on GPON Routers

It is recommended users disable remote access, ensure default login credentials are not being used, and disable universal plug and play capabilities

eSentire has identified a new, coordinated weaponization campaign targeting D-Link routers.

The company just detected a co-ordinated botnet recruitment campaign being launched. eSentire saw a surge of exploit attempts from over 3,000 different source IPs, introducing a variation of the OS Command Injection attack against the 2750B D-Link router. While none of these exploits appeared to be successful in corporate environments (which lack consumer-grade routers), there was likely some degree of success with casual home networks.

This piggybacks on eSentire’s 2018 Q1 Threat Report findings from last month, which noted a dramatic increase (539%) in attacks targeting popular consumer-grade routers (like Netgear and Linksys) from Q4 2017 to Q1 2018.

The eSentire Threat Intelligence has observed an increase in exploitation attempts targeting consumer grade network devices manufactured by Dasan and D-Link.

Customers are advised to review the details below and apply mitigation actions, if applicable. Successful exploitation of vulnerable devices can result in remote code execution and ongoing communication between the threat actor and infected devices.

What we’re doing about it?
Observed infrastructure hosting exploit payloads have been added to the eSentire global blacklist.

What you should do about it?
Dasan routers utilizing ZIND-GPON-25xx firmware and some H650 series GPON are susceptible (CVE-2018-10561 & CVE-2018-10562). Only unofficial patches are currently available. eSentire has not independently tested this patch..

D-Link DSL-2750B routers with firmware 1.01 to 1.03 are also susceptible to the accompanying command injection attempts.

For susceptible devices, it is recommended users disable remote access, ensure default login credentials are not being used, and disable universal plug and play capabilities.

The identified spike in attacks do not appear to be targeted against a specific client or industry. eSentire Threat Intelligence has identified roughly three thousand unique IP addresses being used to deliver the exploit attempts. The wide number of devices launching these attacks may indicate the use of a botnet.

It is not uncommon for botnet controllers to attempt to increase the number of devices in their botnet by using tactics similar to this. The infected devices can then be used to launch additional attacks such as distributing malicious content or launching DDoS attacks.

Follow a regular patching schedule for all corporate devices.

Tags assigned to this article:
cyber attacks GPON Routers eSentire


Around The World