GPON Vulnerabilities Exploited for Mexico-based Mirai-like Scanning Activities

by Trend Micro IoT Reputation Service Team and Trend Micro Smart Home Network Team

In April, we discussed our findings on increased activity originating from China targeting network devices in Brazil that mimicked the Mirai botnet’s scanning technique. We recently found similar Mirai-like scanning activity from Mexico. The difference in these attacks, however, is that some of the detected activity is being done via the exploitation of CVE-2018-10561 and CVE-2018-10562, two vulnerabilities that are specific to Gigabit Passive Optical Network (GPON)-based home routers. These two vulnerabilities can be exploited to allow remote code execution (RCE) on the affected device.

Activity detected in Mexico

From 12:00 p.m. UTC on May 8 to 12:00 a.m. UTC on May 10, we detected an influx of activity coming from 3,845 IP addresses located in Mexico. Unlike the previous activity, the targets for this new scanning procedure are distributed. However, based on the username and password combinations we found in our data, we concluded that the target devices still consist of home routers or IP cameras that use default passwords.

Figure 1. Mirai-like scanning activity from Mexico

Figure 2. The Mirai-like behavior is based on MASUTA, a variant of Mirai

Figure 3. Attack on GPON routers exploiting the CVE-2018-10561 and CVE-2018-10562 vulnerabilities

Routers and Cameras as the main targets

According to the monitored traffic, the attack mainly targets routers and cameras, which are being compromised via default usernames and passwords. The large number of users that still use default credentials make botnet attacks especially effective, as they make easy targets for attackers.

The top 30 most-commonly used username and password pairs during this attack operation are listed below:

Figure 4. The 30 most commonly used username-password pairs. The numbers on the left-most column indicate the counts for each

Where are the attackers coming from?

We discovered that the Autonomous System Numbers (ASN) of the IP addresses used by most of this operation’s attackers is ASN 8151. This ASN is from one of the largest telecommunications companies in Mexico. In addition, based on the WHOIS info of the IP addresses, most of them are owned by the same company based in Mexico.

The Attackers’ TCP ports 22, 23, 80, 443, 8080 and UDP port 5060 were observed during the attack. Only 40% of the attackers open one of the observed ports, as shown in the figure below:

Figure 5. 40% of the attackers open one of the observed ports

Based on our data, 32% of the open-port attackers support the Session Initiation Protocol (SIP), a common function for home routers and IP cameras. This means that about 500 attacker devices enable the SIP function. Examples of this are open ports 5060 and 5061, which are both associated with the SIP protocol.

Figure 6. 32% of the open-port attackers support SIP

Roughly 300 attacker devices enable HTTP services. The device identification results of these devices can be seen below:

Figure 7. The distribution of HTTP-enabled attacker devices

Identifying the attacker devices is generally difficult because the related information is limited. However, we can surmise that some of the bots consist of compromised routers and cameras.

The attacks use a malware downloading script to download four malware variants (Detected as ELF_MIRAI.AUTJ) for different architectures, namely ARM, ARMv7, MIPS and MIPS little-endian. These four are common architectures used for both embedded and IoT devices.

Figure 8. The malware downloading script

The collected malware samples come in the following file formats:

Executable	Architecture	Instruction Set
ELF 32-bit LSB	MIPS	MIPS-I version 1 (SYSV)
ELF 32-bit MSB	MIPS	MIPS-I version 1 (SYSV)
ELF 32-bit LSB	ARM	version 1
ELF 32-bit LSB	ARM	EABI4 version 1 (SYSV)

The use of default usernames and passwords has long been a security headache when it comes to IoT-based attacks. Many users stick with the default credentials because they are unaware that it could compromise security down the line. However, as proven in this blog, and demonstrated in previous attacks targeting IoT devices, attackers often use exploited devices with default credentials as a primary infection vector. We recommend that users change the credentials of their devices — preferably, passwords that include at least 15 characters with a mix of uppercase and lowercase letters, numbers, and special characters — as soon as possible.

Given that the attacks also abuse vulnerabilities, users should also patch their device firmware to the latest versions, as these often come with security updates that address exploitable vulnerabilities. The use of firewalls and intrusion detection and prevention systems can also help prevent attackers from accessing a device or network.

Finally, users can look into employing security solutions that can monitor internet traffic, identify potential attacks, and block any suspicious activities on devices connected to the network. Our IoT Reputation Service (IoTRS), provided by the cloud-based Trend Micro Smart Protection Network infrastructure and integrated into several Trend Micro IoT security solutions, has updated its real-time block list to offer relevant safeguards against this threat and other malicious web accesses and aberrant behaviors associated with smart devices, including home routers, DVRs, and networked security cameras.