Botnets 'competing' to attack vulnerable GPON fiber routers

Several botnet operators are targeting a popular but vulnerable fiber router, which can be easily hijacked thanks to two authentication bypass and command injection bugs.

ZDNet first reported the bugs last week. In case you missed it: two bugs allowed anyone to bypass the router’s login page and access pages within — simply by adding “?images/” to the end of the web address on any of the router’s configuration pages. With near complete access to the router, an attacker can inject their own commands, running with the highest “root” privileges.

In other words, these routers are prime targets for hijacking by botnet operators.

Now, a new report by China-based security firm Netlab 360 says at least five botnet families have been “competing for territory” to target the devices.

All five botnets — Muhstik, Mirai, Hajime, Satori, and Mettle — have developed exploits to target the fiber routers, but so far none of the botnets have successfully hacked and hijacked the routers.

The security researchers say it could be a matter of time.

“Fortunately, the current attack payloads from muhstik, mirai, hajime, and satori, have been tested to be broken and will not implant malicious code […] and mettle’s C2 server is now offline, although it could really finish the implant during its appearance,” said the researchers.

The routers, developed by tech firm DZS, were built close to a decade ago, according to a company spokesperson, and are no longer on sale. The company said that only 240,000 routers were affected, but Shodan put the figure at over one million devices at the time of our first report. Since then, the number has dropped below the million mark.

https://www.zdnet.com/article/botnets-competing-to-attack-vulnerable-gpon-fiber-routers/