Exploits & Vulnerabilities
GPON Bugs Exploited for Mirai-like Scanning Activities
We recently found similar Mirai-like scanning activity from Mexico with some being done via the exploitation of CVE-2018-10561 and CVE-2018-10562, two vulnerabilities that are specific to Gigabit Passive Optical Network (GPON)-based home routers.
In April, we discussed our findings on increased activity originating from China targeting network devices in Brazil that mimicked the Mirai botnet’s scanning technique. We recently found similar Mirai-like scanning activity from Mexico. The difference in these attacks, however, is that some of the detected activity is being done via the exploitation of CVE-2018-10561 and CVE-2018-10562, two vulnerabilities that are specific to Gigabit Passive Optical Network (GPON)-based home routers. These two vulnerabilities can be exploited to allow remote code execution (RCE) on the affected device.
Activity detected in Mexico
From 12:00 p.m. UTC on May 8 to 12:00 a.m. UTC on May 10, we detected an influx of activity coming from 3,845 IP addresses located in Mexico. Unlike the previous activity, the targets for this new scanning procedure are distributed. However, based on the username and password combinations we found in our data, we concluded that the target devices still consist of home routers or IP cameras that use default passwords.
Figure 1. Mirai-like scanning activity from Mexico
Figure 2. The Mirai-like behavior is based on MASUTA, a variant of Mirai
Figure 3. Attack on GPON routers exploiting the CVE-2018-10561 and CVE-2018-10562 vulnerabilities
Routers and Cameras as the main targets
According to the monitored traffic, the attack mainly targets routers and cameras, which are being compromised via default usernames and passwords. The large number of users that still use default credentials make botnet attacks especially effective, as they make easy targets for attackers. The top 30 most-commonly used username and password pairs during this attack operation are listed below:
Figure 4. The 30 most commonly used username-password pairs. The numbers on the left-most column indicate the counts for each
Where are the attackers coming from?
We discovered that the Autonomous System Numbers (ASN) of the IP addresses used by most of this operation's attackers is ASN 8151. This ASN is from one of the largest telecommunications companies in Mexico. In addition, based on the WHOIS info of the IP addresses, most of them are owned by the same company based in Mexico. The Attackers’ TCP ports 22, 23, 80, 443, 8080 and UDP port 5060 were observed during the attack. Only 40% of the attackers open one of the observed ports, as shown in the figure below:
Figure 5. 40% of the attackers open one of the observed ports
Based on our data, 32% of the open-port attackers support the Session Initiation Protocol (SIP), a common function for home routers and IP cameras. This means that about 500 attacker devices enable the SIP function. Examples of this are open ports 5060 and 5061, which are both associated with the SIP protocol.
Figure 6. 32% of the open-port attackers support SIP
Roughly 300 attacker devices enable HTTP services. The device identification results of these devices can be seen below:
Figure 7. The distribution of HTTP-enabled attacker devices
Identifying the attacker devices is generally difficult because the related information is limited. However, we can surmise that some of the bots consist of compromised routers and cameras. The attacks use a malware downloading script to download four malware variants (Detected as ELF_MIRAI.AUTJ) for different architectures, namely ARM, ARMv7, MIPS and MIPS little-endian. These four are common architectures used for both embedded and IoT devices.
Figure 8. The malware downloading script
The collected malware samples come in the following file formats:
| Executable | Architecture | Instruction Set |
| ELF 32-bit LSB | MIPS | MIPS-I version 1 (SYSV) |
| ELF 32-bit MSB | MIPS | MIPS-I version 1 (SYSV) |
| ELF 32-bit LSB | ARM | version 1 |
| ELF 32-bit LSB | ARM | EABI4 version 1 (SYSV) |
The use of default usernames and passwords has long been a security headache when it comes to IoT-based attacks. Many users stick with the default credentials because they are unaware that it could compromise security down the line. However, as proven in this blog, and demonstrated in previous attacks targeting IoT devices, attackers often use exploited devices with default credentials as a primary infection vector. We recommend that users change the credentials of their devices — preferably, passwords that include at least 15 characters with a mix of uppercase and lowercase letters, numbers, and special characters — as soon as possible.
Given that the attacks also abuse vulnerabilities, users should also patch their device firmware to the latest versions, as these often come with security updates that address exploitable vulnerabilities. The use of firewalls and intrusion detection and prevention systems can also help prevent attackers from accessing a device or network.
Finally, users can look into employing security solutions that can monitor internet traffic, identify potential attacks, and block any suspicious activities on devices connected to the network. Our IoT Reputation Service (IoTRS), provided by the cloud-based Trend Micro™ Smart Protection Network™ infrastructure and integrated into several Trend Micro IoT security solutions, has updated its real-time block list to offer relevant safeguards against this threat and other malicious web accesses and aberrant behaviors associated with smart devices, including home routers, DVRs, and networked security cameras.
Trend Micro Home Network Security users are protected from this threat via these intrusion prevention rules:
- 1134610, WEB Dasan GPON Routers Command Injection -1.1 (CVE-2018-10561)
- 1134611, WEB Dasan GPON Routers Command Injection -1.2 (CVE-2018-10561)
Trend Micro™ IoT Security for Surveillance Cameras™ (TMIS-CAM) users are protected from this threat via the IoTRS service.
Indicators of Compromise
ELF_MIRAI.AUTJ:
- SHA256: 05d24ac0bd8ec951f4f1f27cdc398513c6703314c64e5688fdaeec143a4da48a
- SHA256: 2f09eaa066cc68b76c7803e2e6f36573acbe3971faae4ef0c9b2512719b29efb
- SHA256: 575d5a25cff7c6dc3b970cfc441be19bd4d2429ffa892d078f53773c9d391100
- SHA256: 1824dc38b2a16406e62732be5a6e9521c459d70a55db4b315d1d35315ee299ec