Researchers warn owners of fiber-optic routers to carefully monitor their equipment and check for firmware updates after a zero-day attack is discovered in the wild.
The team of Yanlong Ma, Genshen Ye, Lingming Tu, Ye Jin at 360 Netlab say that for more than two months it has been following active attacks against what it says is a two-part remote code execution attack used to infect network equipment from multiple vendors.
The exploit allows the attacker to gain full control of vulnerable routers in the passive optical Netlink Gigabit networks and at least eight other OEMs. One of the steps, detailed by Exploit-db, is known to cause the execution of remote commands.
“The formPing () function in the / bin / boa web server program, when processing the publish request from / boaform / admin / former, it did not check the target_addr parameters before pinging the system, so command injection becomes possible, “explained the Netlab team.
April 2020 and – rest assured – your Windows PC can still be powered by something as harmless as an unruly police
However, another vulnerability is needed to access, and must be chained with the above bug to actually gain control of the vulnerable routers. This limits its scope, but not much.
Netlab says it is aware of what this second exploit is and has seen that it is used in the wild by the Moobot botnet, but because the exploits are in progress and that no fix has been released for the moment, he is keeping this part secret.
Indeed, the researchers note that since the partial proof of concept was published, two other botnets have been spotted trying to exploit it (without success).
“Fortunately, unlike Moobot, this bot author was unaware of the aforementioned condition, so it did not work as expected and the scans would fail most of the time,” NetLab noted.
The whole incident reflects what Netlab suspects of a growing class division in the botnet space between well-supported professional operators and other groups that rely on less reliable methods.
“Apparently, while most botnets are playing catch-up games, some have substantial resources and possibly deep pockets to get their hands on unknown public exploits,” the team noted.
Interestingly, the researchers say that, since March, they have been trying to contact Netlink but have been told that this problem should not occur because the default configuration of the device should not have this problem (the reality is different).
The register attempted to contact the India-based company for a response to the report. At least eight other anonymous brands, probably all from OEMs, are also vulnerable.
“The PoC has been published publicly and various botnets are already taking advantage of it, we have informed the CNCERT of all the details, and we think it is necessary to inform the public of this permanent threat”, explain the researchers. “We are not going to share the seller’s name because we have no idea if there will be any action taken by them.”
In the meantime, Netlab recommends that users do not forget to regularly check for firmware updates for their routers and other equipment. ®
Office 365 client-to-client migration tips