Friday, December 8, 2023

Moobot Botnet Hacks Various Fiber Routers Using 0-Day Vulnerability

By Hema Vijayakumar

Moobot Botnet

Qihoo 360’s Netlab Researchers observed Moobot botnet has successfully spread in fiber routers for remote code execution using0-day vulnerability. 

There is a total of 9 vendors are affected by the same vulnerability, it is likely most of the vendors are OEM products of the same original vendor.

Recent IOT 0-day Vulnerabilities

360’s Netlab Researchersseen the trend of 0-day vulnerabilities of IoT devices exploited to spread the multiple botnets in the past 30 days.

LILIN DVR 0-day vulnerabilities to spread Chalubo, FBot, and Moobotbotnets.On February 13, 2020, the vendor fixed the vulnerability and released the latest firmware program 2.0b60_20200207.

DrayTek Vigorenterprise routers and switch devices affected with pair of 0-day vulnerability. On February 10, 2020, the manufacturer DrayTek issued a security bulletin, which fixed the vulnerability and released the latest firmware program 1.5.1.

Fiber routers include Netlink GPON spreads Moobot botnet

On February 28, 2020, Researchers noticed the Moobot botnet successfully used a new exploit (two steps) to spread in fiber routers including Netlink GPON router. 

PoC for Remote command execution vulnerability in fiber routers already published in the Exploit Database.

Researchers informed CNCERT regarding 0-day vulnerabilities affects many fiber routes and vendor name is not shared disclosed publically.

Moobot is a new botnet family based on Mirai. Except for Moobot botnet, other botnets such as Fbot botnet and Gafgyt botnets were failed to spread in fiber routers as it requires two steps for successful exploitation. 

The first step involves another vulnerability and second utilizing the PoC available in Exploit db. Researchers did not disclose the first part of vulnerability publically.

Moobot Botnet
Sample Injections commands

The Exploitdb PoC Vulnerability 

Type: remote command execution

 Details: The function form Ping() in the Web server program /bin/boa, When it processes the post request from /boaform/admin/forming, it did not check the target_addr parameters before calling the system ping commands, thereby a command injection becomes possible.

Recommended general best practices for IoT users to check and update their device firmware promptly, and check whether there are default accounts that should be disabled.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Managed WAF Protection

Website

Latest articles

cyber security

Exploitation Methods Used by PlugX Malware Revealed by Splunk Research

PlugX malware is sophisticated in evasion, as it uses the following techniques to avoid...
cyber security

TA422 Hackers Attack Organizations Using Outlook & WinRAR Vulnerabilities

Hackers exploit Outlook and WinRAR vulnerabilities because these widely used software programs are lucrative...
cyber security

Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been...
cyber security

Atlassian Patches RCE Flaw that Affected Multiple Products

Atlassian has been discovered with four new vulnerabilities associated with Remote Code Execution in...
cyber security

Reflectiz Introduces AI-powered Insights on Top of Its Smart Alerting System

Reflectiz, a cybersecurity company specializing in continuous web threat management, proudly introduces a new...
cyber security

SLAM Attack Gets Root Password Hash in 30 Seconds

Spectre is a class of speculative execution vulnerabilities in microprocessors that can allow threat...
cyber security

Akira Ransomware Exploiting Zero-day Flaws For Organization Network Access

The Akira ransomware group, which first appeared in March 2023, has been identified as...
Hema Vijayakumar
Hema Vijayakumar

Endpoint Strategies for 2024 and beyond

Converge and Defend

What's the pulse of Unified Endpoint Management and Security (UEMS) in Europe? Join us live to uncover the strategies that are defining endpoint security in the region.

Register Your Spot

Related Articles

Connect with GBHackers On Security

Join 70,000 Security Professionals

Stay safe online with free daily cybersecurity updates. Sign up now!

GBHackers on security is a highly informative and reliable Cyber Security News platform that provides the latest and most relevant updates on Cyber Security News, Hacking News, Technology advancements, and Kali Linux tutorials on a daily basis. The platform is dedicated to keeping the community well-informed and up-to-date with the constantly evolving Cyber World.

Menu

Contact US:

[email protected]