D-Link and Dasan routers with GPON (Gigabit Passive Optical Network) firmware running on them have been targeted by hackers to essentially build a botnet army, according to research published Friday by eSentire Threat Intelligence.
According to the report, hackers are targeting unpatched versions of these router vulnerabilities and there was a huge increase in exploitation attempts from more than 3,000 separate source IPs targeting D-Link 2750B and certain Dasan GPON small and home office routers on July 19.
The operation may have been an attempt to compromise routers so they could be leveraged to launch distributed denial of service attacks, distribute malicious content or spy on browsing activity, suggests the eSentire Threat Intelligence team, which authored a corresponding blog post and threat advisory after it observed the incident while monitoring its customers.
“A successful recruitment campaign has the potential to arm the associated threat actor(s) with DDoS artillery and facilitate espionage of private browsing habits,” wrote Keegan Keplinger, threat intelligence researcher with eSentire. “Botnets built using compromised routers may eventually be offered as a service to other threat actors, used for extorting DDoS victims among other uses.”
The attacks lasted for ten hours, Keplinger asserted during an interview. Reportedly, the attackers sought to capitalize on a pair of vulnerabilities that collectively can result in remote code execution, and for which there is only an unofficial patch available. An unspecified individual actor targeted CVE-2018-1062, a known command-injection bug utilized in routers that run GPON firmware ZIND-GPON-25XX. It was discovered and publicly disclosed in May 2018, and have since been used in various campaigns. Dasan routers using ZIND-GPON-25xx firmware, some Dasan H650 series GPON routers, and D-Link DSL-2750B routers with firmware 1.01 to 1.03 are prone to the exploits.
“Command injection can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it’s quite simple to execute commands and retrieve their output,” the CVE description of the vulnerability explained.