Thursday, March 28, 2024

Moobot Botnet Hacks Various Fiber Routers Using 0-Day Vulnerability

Qihoo 360’s Netlab Researchers observed Moobot botnet has successfully spread in fiber routers for remote code execution using0-day vulnerability. 

There is a total of 9 vendors are affected by the same vulnerability, it is likely most of the vendors are OEM products of the same original vendor.

Recent IOT 0-day Vulnerabilities

360’s Netlab Researchersseen the trend of 0-day vulnerabilities of IoT devices exploited to spread the multiple botnets in the past 30 days.

LILIN DVR 0-day vulnerabilities to spread Chalubo, FBot, and Moobotbotnets.On February 13, 2020, the vendor fixed the vulnerability and released the latest firmware program 2.0b60_20200207.

DrayTek Vigorenterprise routers and switch devices affected with pair of 0-day vulnerability. On February 10, 2020, the manufacturer DrayTek issued a security bulletin, which fixed the vulnerability and released the latest firmware program 1.5.1.

Fiber routers include Netlink GPON spreads Moobot botnet

On February 28, 2020, Researchers noticed the Moobot botnet successfully used a new exploit (two steps) to spread in fiber routers including Netlink GPON router. 

PoC for Remote command execution vulnerability in fiber routers already published in the Exploit Database.

Researchers informed CNCERT regarding 0-day vulnerabilities affects many fiber routes and vendor name is not shared disclosed publically.

Moobot is a new botnet family based on Mirai. Except for Moobot botnet, other botnets such as Fbot botnet and Gafgyt botnets were failed to spread in fiber routers as it requires two steps for successful exploitation. 

The first step involves another vulnerability and second utilizing the PoC available in Exploit db. Researchers did not disclose the first part of vulnerability publically.

Moobot Botnet
Sample Injections commands

The Exploitdb PoC Vulnerability 

Type: remote command execution

 Details: The function form Ping() in the Web server program /bin/boa, When it processes the post request from /boaform/admin/forming, it did not check the target_addr parameters before calling the system ping commands, thereby a command injection becomes possible.

Recommended general best practices for IoT users to check and update their device firmware promptly, and check whether there are default accounts that should be disabled.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user...

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles