You're a botnet, you've got a zero-day, so where do you go? After fiber, because that's where the bandwidth is
Two-step attack seen on core systems
Researchers are warning owners of fiber routers to keep a close eye on their gear and check for firmware updates following the discovery an in-the-wild zero-day attack.
The team of Yanlong Ma, Genshen Ye, Lingming Tu, Ye Jin at 360 Netlab say that for more than two months it has been tracking active attacks on what it says is a two-part remote code execution attack being used to infect the networking gear from multiple vendors.
The exploit results in the attacker getting total control of the vulnerable Netlink Gigabit Passive Optical Networks routers and at least eight other OEMs. One of the steps, detailed by Exploit-db, is known to cause remote command execution.
"The function formPing() in the Web server program /bin/boa, when it processes the post request from /boaform/admin/forming, it did not check the target_addr parameters before calling the system ping commands, thereby a command injection becomes possible," Netlab's team explained.
April 2020 and – rest assured – your Windows PC can still be pwned by something so innocuous as an unruly fontREAD MORE
Another vulnerability is needed to gain access, however, and must be chained with the above bug to actually get control of the vulnerable routers. That limits its scope, but not by much.
Netlab says it is aware of what that second exploit is and has seen it being used in the wild by the Moobot botnet, but because the exploits are ongoing and no fix has been posted for the flaw yet, it is keeping that part under wraps.
Indeed, the researchers note that since the partial proof of concept was posted, two other botnets have been spotted attempting to (unsuccessfully) exploit it.
"Luckily, unlike Moobot, this botnet author was not aware of the aforementioned precondition, so it did not work out as expected and the scans would mostly fail," NetLab noted.
The entire incident reflects what Netlab suspects is a growing class divide in the botnet space between well-backed, professional operators and other groups who rely on less-reliable methods.
"Apparently while most botnets play catchup games, some have deep resources and probably deep pockets to get hold of the public unknown exploits," the team noted.
Interestingly, the researchers say that, dating back to March, they have been attempting to contact Netlink but were told this problem should not be happening because the default config of the device should not have this issue (the reality is different).
The Register has attempted to get in touch with the India-based company for a response to the report. At least eight other unnamed brands, possibly all OEM vendors, are also thought to be vulnerable.
"The PoC has been published publicly and various botnets are taking advantage of it already, we informed CNCERT all the details, and we think it is necessary to inform the public this ongoing threat," the researchers explain. "We are not going to share the vendor name though, as we have no idea if there is going to be any action taken by them."
In the meantime, Netlab recommends that users remember to regularly check for firmware updates to their routers and other gear. ®