D-Link router vulnerabilities eyed by Moobot operators

September 23, 2022
D-Link Router Vulnerabilities Moobot Botnet Operators Mirai DDOS

The variant of the Mirai botnet called Moobot has reemerged in a new threat campaign that aims at the D-Link Router vulnerabilities. Based on reports, the botnet targets the old and the new flaws in D-Link routers.

According to researchers, the attacks resurfaced in August, but it has not made any suspicious activities notable to the authorities. The botnet operators commonly offer distributed denial-of-service products to third-party users who want to perform disruption campaigns against websites and other online services.

However, the current Moobot threat actors usually utilise compromised devices to execute DDoS attacks aiming to disrupt targeted devices. Subsequently, they initiate remote code executions on their targets and download malware binaries.

The actors will then register the newly captured routers to the command-and-control servers once the malware decodes a hard-coded address from the system config. The hackers will then use the infected routers to launch distributed denial-of-service attacks on an IP address and port number manipulated by the Moobot operators.

 

Moobot could exploit four distinct D-Link router vulnerabilities.

 

Researchers explained that the Moobot botnet could target multiple D-Link router vulnerabilities. These critical flaws are from the old and new versions of the routers.

The first two flaws are the CVE-2022-28958 and CVE-2022-26258, ranked by researchers as very dangerous with a critical severity score of 9.8. These two vulnerabilities could also enable malicious actors’ Remote Command Execution.

The third flaw tracked by researchers as CVE-2018-6530 also has a critical severity of 9.8, but its difference from the first two is that it can provide access to the D-Link SOAP Interface Remote Code Execution.

The last flaw is the CVE-2015-2051, with a 10.0 critical severity score. It could allow actors to have the D-Link HNAP SOAPAction Header Command Execution flaw.

Experts suggest that security vendors should provide repairs and upgrades even though not all users have installed the immediate fixes. This botnet was first introduced by researchers last December. It has increased its targets dramatically over the past months.

Cybersecurity experts suggest that D-Link device users should apply patches and upgrades whenever it is available. Lastly, users are urged to change admin passwords and install the latest patches to mitigate potential threats.

About the author

Leave a Reply