Unpatched D-Link and Dasan GPON switch vulnerabilities are being exploited by hackers trying to manufacture a huge botnet, as reported by eSentire Threat Intelligence.
Researchers noticed massive usage in exploit attempts, ranging from more than 3000 sources (probably proxies) on the D-Link 2750B and Dasan GPON switches running on version of the GPON firmware.
“A successful recruitment campaign has the potential to arm the associated threat actor(s) with DDoS artillery and facilitate espionage of private browsing habits. Botnets built using compromised routers may eventually be offered as a service to other threat actors, used for extorting DDoS victims among other uses.” said Keegan Keplinger, intelligence researcher with eSentire.
Keplinger said an unspecified single actor was targeting a command-injection vulnerability (CVE-2018-10562) used in routers and switches running the GPON firmware version ZIND-GPON-25xx.
“Command injection can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it’s quite simple to execute commands and retrieve their output,” Keplinger reported to Threatpost.
Here, the full CVE description of the vulnerability is explained.
