Masuta, a Mirai-botnet Variant, Exploiting GPON Vulnerabilities

DDoS attacks are commonly launched by botnets, affected IoT devices exploited and used for malicious purposes. In May 2018, monitored malicious activity was detected in the Mexico area. It bore similarity to Mirai scanning techniques and exploited Gigabit Passive Optical Network (GPON)-based home routers, which allow remote code execution on affected devices. Its given name is MASUTA.

We can break down the ‘MASUTA’ workflow into three main stages:

  • Attack preparation

Scanning for potential IoT devices, and brute forcing with known usernames and passwords. Once this succeeds, it reports the result to a pre-defined remote server

  • Malware infection

The loader might try to find the architecture of the affected device, in order to fit the right executable code to it.

  • Repeating the attack

The bot-master issues a command to the C&C server, launching the actual DDoS attack.

A workflow of Mirai variant, based on MASUTA

The last discovered vulnerabilities in GPON firmwares (CVE-2018-1056 , CVE-2018-10562), could “allow complete control on the device and therefore the network.” The first vulnerability exploits the authentication mechanism of the device, allowing the attacker to bypass the authentication applying a simple string in the URL.

Attack based on CVE-2018-1056 , CVE-2018-10562

Mitigation

  • Blocking the exploit URL will block the exploit from completing.
  • Block the botnet server IP address (shown in the IoC section)
  • Users should patch their device firmware to the latest versions to secure against exploited vulnerabilities.

Indicators of Compromise

  • SHA256: 05d24ac0bd8ec951f4f1f27cdc398513c6703314c64e5688fdaeec143a4da48a
  • SHA256: 2f09eaa066cc68b76c7803e2e6f36573acbe3971faae4ef0c9b2512719b29efb
  • SHA256: 575d5a25cff7c6dc3b970cfc441be19bd4d2429ffa892d078f53773c9d391100
  • SHA256: 1824dc38b2a16406e62732be5a6e9521c459d70a55db4b315d1d35315ee299ec
  • Muhstik botnet C2 server IP: 165.227.78.159