An apparent botnet comprised of more than 3,000 separate source IPs generated a large, sudden spike in exploit attacks on July 19, targeting D-Link 2750B and certain Dasan GPON (Gigabit Passive Optical Network) small and home office routers.
The operation may have been an attempt to compromise routers so they could be leveraged to launch distributed denial of service attacks, distribute malicious content or spy on browsing activity, suggests the eSentire Threat Intelligence team, which authored a corresponding blog post and threat advisory after observed the incident while monitoring its customers.
Reportedly, the attackers sought to capitalize on a pair of vulnerabilities that collectively can result in remote code execution, and for which there is only an unofficial patch available. The vulnerabilities — CVE-2018-10561, an authentication bypass flaw and CVE-2018-10562, a command injection bug — were discovered and publicly disclosed in May 2018, and have since been used in various campaigns. Dasan routers using ZIND-GPON-25xx firmware, some Dasan H650 series GPON routers, and D-Link DSL-2750B routers with firmware 1.01 to 1.03 are prone to the exploits.