Beginning of May, 2 vulnerabilities with exploits were released for DASAN GPON home routers: CVE-2018-10561 and CVE-2018-10562. The first vulnerability allows unauthenticated access to the Internet facing web interface of the router, the second vulnerability allows command injection. Soon after the disclosure, we started to observe exploit attempts on our servers: Exploits attempt are easy to recognize: the URL contains string /GponForm/diag_FORM?images/. We observed scans targeting just GPON devices, and scans combining GPON and Drupal exploits. Please post a comment if you've observed these exploit attempts too. Didier Stevens |
DidierStevens 650 Posts ISC Handler May 20th 2018 |
Thread locked Subscribe |
May 20th 2018 4 years ago |
In our previous blog, we have covered part of this issue.
This one is so called muhstik botnet, which we exposed in our earlier blog. GPON Exploit in the Wild (I) - Muhstik Botnet Among Others https://blog.netlab.360.com/gpon-exploit-in-the-wild-i-muhstik-botnet-among-others-en/ In fact, we have published a series of three articles on GPON, covering muhstik, satori, mettle, hajime, mirai, omni and imgay: https://blog.netlab.360.com/tag/gpon/ |
Anonymous |
Quote |
May 21st 2018 4 years ago |
I've seen evidence of this in logs on my DigitalOcean droplets, so they're not even trying to be quiet about it.
|
yaleman 1 Posts |
Quote |
May 21st 2018 4 years ago |
I have never deployed the mentioned routers, however I did run across an article pointing to issues like this on the ones you mentioned. Below is a snippet of text from the article mentioned. I would check it out if I were you as it looks like there was a patch sent out to fix this issue.
URL: https://thehackernews.com/2018/05/protect-router-hacking.html "Since hackers have started exploiting two recently disclosed unpatched critical vulnerabilities found in GPON home routers, security researchers have now released an unofficial patch to help millions of affected users left vulnerable by their device manufacturer. Last week, researchers at vpnMentor disclosed details of—an authentication bypass (CVE-2018-10561) and a root-remote code execution vulnerability (CVE-2018-10562)—in many models of Gigabit-capable Passive Optical Network (GPON) routers manufacturer by South Korea-based DASAN Zhone Solutions. If exploited, the first vulnerability lets an attacker easily bypass the login authentication page just by appending ?images/ to the URL in the browser's address bar " |
Anonymous2018 1 Posts |
Quote |
May 21st 2018 4 years ago |
The IP 165.227.78.159, in the original figure, is the Report server of Muhstik botnet.
A Muhstik's report server will be contacted by Muhstik botnet's payloads once successfully exploited. https://blog.netlab.360.com/botnet-muhstik-is-actively-exploiting-drupal-cve-2018-7600-in-a-worm-style-en/ This 165.227.78.159 is an institute of 51.254.219.134. The old one is take own by a joint action with security community. https://blog.netlab.360.com/gpon-exploit-in-the-wild-i-muhstik-botnet-among-others-en/ It seems like my last reply is treated as anonymous. Quoting Anonymous:In our previous blog, we have covered part of this issue. |
Anonymous |
Quote |
May 22nd 2018 4 years ago |
Quoting Anonymous:It seems like my last reply is treated as anonymous. That's because you did not choose a nick. |
DidierStevens 650 Posts ISC Handler |
Quote |
May 22nd 2018 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!