Critical flaws were recently revealed within gigabit-capable passive optic network (GPON) routers and it didn’t take long for threat actors to put them to use. A report by Chinese IT-security firm 360 Netlab have revealed that at least 5 different botnet families are actively using these flaws. A proof-of-concept was recently made available and with no official patch out yet more infections are sure to follow.


Flaws within fiber routers used by botnets

A few days ago two critical vulnerabilities were disclosed within GPON routers. These fiber routers are used to provide short haul connections for homes, cellular stations and more.

The vulnerabilities are extremly simple, letting anyone bypass the login page – giving code execution privileges and near-complete access to the router – through simply adding the string “?images/” at the end of the URL.

The routers affected were manufactured by South technology firm DZS nearly a decade ago and are no longer in production. According to a company spokesperson only 240 000 routers were vulnerable to these flaws, but through Shodan nearly one million affected devices are found.

A report by Chinese IT-security firm 360 Netlab have revealed at least 5 different botnet families actively using these flaws, named CVE-2018-10561 and CVE-2018-10562, to up their numbers. These include the following.

  • Mettle
  • Muhstik
  • Mirai
  • Hajime
  • Satori

Proof-of-Concept and how to protect yourself

A fully working proof-of-concept exploit has also been released to the public, meaning the numbers of infected routers are only going to rise. However, there are certain steps that can be taken to protect yourself.

  • Disable remote administration rights on the router.
  • Use a firewall to prevent outside access from the Internet.

A patch tool has also been released by vpnMentor, the company that initially discovered the flaws. However caution is still advised as it remains an unofficial source.