Increase in Attacks on GPON Routers

eSentire Threat Intelligence has observed an increase in exploitation attempts targeting consumer-grade network devices manufactured by Dasan and D-Link.

Customers are advised to review the below details and apply mitigation actions if applicable. Successful exploitation of vulnerable devices can result in remote code execution and ongoing communication between the threat actor and infected devices.

What we’re doing about it

Observed infrastructure hosting exploit payloads have been added to the eSentire global blacklist.

What you should do about it

• Dasan routers utilizing ZIND-GPON-25xx firmware and some H650 series GPON are susceptible (CVE-2018-10561 & CVE-2018-10562). Only unofficial patches are currently available [1]. eSentire has not independently tested this patch.
• D-Link DSL-2750B routers with firmware 1.01 to 1.03 are also susceptible to the accompanying command injection attempts. [2]
• For susceptible devices, it is recommended users disable remote access, ensure default login credentials are not being used, and disable universal plug and play capabilities.
• Follow a regular patching schedule for all corporate devices

Additional information

The identified spike in attacks does not appear to be targeted against a specific client or industry. eSentire Threat Intelligence has identified roughly three thousand unique IP addresses being used to deliver the exploit attempts. The wide number of devices launching these attacks may indicate the use of a botnet.

It is not uncommon for botnet controllers to attempt to increase the number of devices in their botnet by using tactics similar to this. The infected devices can then be used to launch additional attacks such as distributing malicious content or launching DDoS attacks.

References:

[1] GPON Router Vulnerability Antidote
https://www.vpnmentor.com/tools/gpon-router-antidote-patch/

[2] D-Link DSL-2750B - OS Command Injection (Metasploit)
https://www.exploit-db.com/exploits/44760/