Link maker

Researchers warn that older D-Link routers are at risk from Mirai malware variant

Diving brief:

  • Threat actors are exploiting vulnerabilities in D-Link routers to deliver a Mirai malware variant called MooBot, which targets exposed network devices running Linux, according to research published Tuesday of Unit 42 of Palo Alto Networks.
  • Although the manufacturer has issued security bulletins for the vulnerabilities, users may be using older or unpatched versions of D-Link devices, according to the report.
  • The report cites four known vulnerabilities exploited in the attacks. Upon successful operation, the wget utility downloads samples of the malware variant.

Overview of the dive:

MooBot was originally discovered in September 2019 by security firm Qihoo 360. MooBot is spread by threat actors who take advantage of a device’s default credentials, n-day or zero- day, according to the researchers.

“Once MooBot starts running on the compromised devices, attackers can add the compromised devices to their botnet and launch DDoS attacks for different purposes,” said Zhibin Zhang, principal researcher at Palo Alto Networks.

Vulnerabilities include the following:

  • CVE-2015-2051 D-Link HNAP SOAPAction Header Command Execution Vulnerability
  • CVE-2018-6530 D-Link SOAP Interface Remote Code Execution Vulnerability
  • CVE-2022-26258 D-Link Remote Code Execution Vulnerability
  • CVE-2022-28958 D-Link Remote Code Execution Vulnerability

Palo Alto Networks Unit 42 researchers initially noticed the activity in August, which involved the operation of D-Link home routers designed for consumer use. However, many corporate employees continue to work remotely and therefore use routers for work.

William Brown, senior vice president of operations and CISO at D-Link, said nearly all affected products reached end-of-life (EOL) or end-of-service (EOS) about four years ago. Brown said the devices should be removed and replaced.

“We didn’t know that, even though we scour the net all the time,” Brown said via email.

Brown said researchers may have noticed the vulnerabilities because they are no longer supported due to reaching end-of-life status.

When asked if the researchers had contacted the company, Jen Miller Osborn, deputy director of threat intelligence at Unit 42, said that once a proof of concept is public, attackers are known to start exploiting them within 24 hours.

“Typical responsible disclosure focuses on 90 days – some of the vulnerabilities in our blog date back to 2015,” Osborn noted via email.

Osborn said that at this point it’s the users’ responsibility to apply patches, and the researchers strongly recommend that they apply upgrades and patches when possible. Brown said the company would follow up with researchers.

D-Link published a newsletter Wednesday with information about the security issue after Cybersecurity Dive requested comment on the report. Brown said the company’s direct-to-consumer channel will typically offer a low-cost upgrade for these devices.