D-Link and Dasan routers with GPON firmware running on them have been targeted by hackers to essentially build a botnet army.
According to a report by eSentire Threat Intelligence, hackers are targeting unpatched versions of these router vulnerabilities and there was a huge increase in exploitation attempts from more than 3,000 source IPs targeting these routers this past Thursday.
Threat Intelligence Researcher Keegan Keplinger stated,
“A successful recruitment campaign has the potential to arm the associated threat actor(s) with DDoS artillery and facilitate espionage of private browsing habits. Botnets built using compromised routers may eventually be offered as a service to other threat actors, used for extorting DDoS victims among other uses.”
The attacks lasted for ten hours, Keplinger asserted during an interview. An unspecified individual actor targeted CVE-2018-1062, a known command-injection bug utilized in routers that run GPON firmware ZIND-GPON-25XX.
The more than 3,000 IPs were located within Egypt and had been coordinated by an unknown single-source command-and-contril. Keplinger stated that no particular geography or industry has yet been singled out. He recommends that those who are using these named routers should “disable remote access” in order to ensure that default log-in details are not used. They should also disable any universal plug and play capabilities.
Any comments on this article can be left below.
