9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.974 High
EPSS
Percentile
99.9%
Well, that did not take long.
Within just 10 days of the disclosure of two critical vulnerabilities in GPON router at least 5 botnet families have been found exploiting the flaws to build an army of million devices.
Security researchers from Chinese-based cybersecurity firm Qihoo 360 Netlab have spotted 5 botnet families, including Mettle, Muhstik, Mirai, Hajime, and Satori, making use of the GPON exploit in the wild.
As detailed in our previous post, Gigabit-capable Passive Optical Network (GPON) routers manufacturer by South Korea-based DASAN Zhone Solutions have been found vulnerable to an authentication bypass (CVE-2018-10561) and a root-RCE (CVE-2018-10562) flaws that eventually allow remote attackers to take full control of the device.
Shortly after the details of the vulnerabilities went public, 360 Netlab researchers warned of threat actors exploiting both the flaws to hijack and add the vulnerable routers into their botnet malware networks.
Now, the researchers have published a new report, detailing 5 below-mentioned botnet families actively exploiting these issues:
Researchers at vpnMentor, who discovered GPON vulnerabilities, already reported the issues to the router manufacturer, but the company hasnβt yet released any fix for the issues, neither researchers believe that any patch is under development, leaving millions of their customers open to these botnet operators.
Whatβs worse? A working proof-of-concept (PoC) exploit for GPON router vulnerabilities has already been made available to the public, making its exploitation easier for even unskilled hackers.
So, until the company releases an official patch, users can protect their devices by disabling remote administration rights and using a firewall to prevent outside access from the public Internet.
Making these changes to your vulnerable routers would restrict access to the local network only, within the range of your Wi-Fi network, thus effectively reducing the attack surface by eliminating remote attackers.
If you are unsure about these settings, vpnMentor has also provided a simple online tool that automatically modifies your router settings on your behalf, though we do not encourage users to run any third-party scripts or patches on their devices.
Instead, users should either wait for official fixes by the router manufacturer or apply changes manually, when possible.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.974 High
EPSS
Percentile
99.9%