Masuta, a Mirai-botnet Variant, Exploiting GPON Vulnerabilities
DDoS attacks are commonly launched by botnets, affected IoT devices exploited and used for malicious purposes. In May 2018, monitored malicious activity was detected in the Mexico area. It bore similarity to Mirai scanning techniques and exploited Gigabit Passive Optical Network (GPON)-based home routers, which allow remote code execution on affected devices. Its given name is MASUTA.
We can break down the ‘MASUTA’ workflow into three main stages:
- Attack preparation
Scanning for potential IoT devices, and brute forcing with known usernames and passwords. Once this succeeds, it reports the result to a pre-defined remote server
- Malware infection
The loader might try to find the architecture of the affected device, in order to fit the right executable code to it.
- Repeating the attack
The bot-master issues a command to the C&C server, launching the actual DDoS attack.
A workflow of Mirai variant, based on MASUTA
The last discovered vulnerabilities in GPON firmwares (CVE-2018-1056 , CVE-2018-10562), could “allow complete control on the device and therefore the network.” The first vulnerability exploits the authentication mechanism of the device, allowing the attacker to bypass the authentication applying a simple string in the URL.
Attack based on CVE-2018-1056 , CVE-2018-10562
- Blocking the exploit URL will block the exploit from completing.
- Block the botnet server IP address (shown in the IoC section)
- Users should patch their device firmware to the latest versions to secure against exploited vulnerabilities.
Indicators of Compromise
- SHA256: 05d24ac0bd8ec951f4f1f27cdc398513c6703314c64e5688fdaeec143a4da48a
- SHA256: 2f09eaa066cc68b76c7803e2e6f36573acbe3971faae4ef0c9b2512719b29efb
- SHA256: 575d5a25cff7c6dc3b970cfc441be19bd4d2429ffa892d078f53773c9d391100
- SHA256: 1824dc38b2a16406e62732be5a6e9521c459d70a55db4b315d1d35315ee299ec
- Muhstik botnet C2 server IP: 22.214.171.124