Earlier this month, the vpnMentor security experts warned that the Dasan GPON routers are subject to two serious vulnerabilities at the time: CVE-2018-10561 and CVE-2018-10562 (bypassing authentication and remote execution of arbitrary code).
It was reported that more than a million vulnerable devices are threatened based on the data Shodan), and their problems immediately began to use intruders. The point is that the proof-of-concept exploit has already been published in the public domain.
Now Qihoo 360 Netlab specialists report that not just individual hacker groups compete for the right to infect the Dasan GPON routers, but five large botnets: Hajime, Mettle, Mirai, Muhstik and Satori.
At the same time, experts write , that in four cases out of five (Hajime, Mirai, Muhstik, Satori), exploits for routers were made with errors, because of which attacks on the Dasan GPON devices do not yield any results. The exploits of the Mettle botnet work as they should, but the botnet management server is currently not functioning, so no successful infections have been detected from this side yet.
According to official statements by Dasan representatives, the ZNID-GPON-25xx series and GPON ONT H640 series, and the total number of vulnerable routers on the Internet is 240,000 devices or even less.
It did not take long for miscreant to spot and add this to our weapon library, we have captured activity utilizing CVE-2018-10561 CVE- 2018-10562 with an active C2 up and running in VN. We will share more details soon. https://t.co/I7lE3gRWr5
– 360 Netlab (@ 360Netlab) May 3, 2018
The developers explained that the DZS ZNID-GPON-25xx and ONT of the H640 series were developed by the OEM and resold by DZS (DASAN Zhone Solutions). Moreover, the devices were released nine years ago and by now the former contracts and agreements are no longer relevant, and the devices “have served their own”. Although the company assures that it has notified the problems of all clients working with vulnerable equipment, and in each individual case the problem is solved individually, it seems that patches for dangerous vulnerabilities in the near future can not be expected.
Experts at vpnMentor also believe that development patches are not even maintained and patches can not be released at all. Therefore, the specialists of vpnMentor have released their own tool, which allows to secure the routers from attacks. In essence, the utility disables the possibility of remote administration of the device and limits the device exclusively to the local network, disabling the web server. Also, experts advise placing vulnerable routers behind a firewall, or, if possible, changing equipment altogether.