Researchers saw several IoT botnets using one of the bugs in the wild after a proof-of-concept was published in March.

The Mootbot botnet has been using a pair of zero-day exploits to compromise multiple types of fiber routers. According to researchers, other botnets have attempted to do the same, but have so far failed.

According to researchers at NetLab 360, the operators of the Mootbot botnet in late February started to exploit a zero-day bug found in nine different types of fiber routers used to provide internet access and Wi-Fi to homes and businesses (including the Netlink GPON router). The flaw is a remote code-execution bug with a public proof-of-concept (PoC) exploit – but for it to be used successfully to compromise a target router, it must be paired with a second vulnerability.

“It is likely most of the vendors are OEM products of the same original vendor,” the firm explained in a recent posting. However, NetLab 360 said that it wouldn’t release the original vendor’s name nor details of the second bug, because the vendor told the security firm that it didn’t see the bug as viable.

“On March 17, we confirmed the exploit was a 0-day and reported the result to CNCERT,” according to the analysis. “We also contacted the vendor but was told this problem should not be happening because the default config of the device should not have this issue (the reality is different). So they won’t take this case from us.”

Despite that initial assessment, a PoC code for the bug emerged on ExploitDB a day later. And a day after that, on March 19, the firm saw attacks in the wild using the PoC to attempt to spread the Gafgyt botnet. A few days later, the botnet had adopted the PoC as part of a worming attempt to move from router to router. Meanwhile, on March 24, another wave of exploit attempts emerged using the PoC, this time trying to spread the Fbot botnet.

“The PoC lefts out a crucial prerequisite – another vulnerability needs to be used together with this PoC for it to work,” researchers explained. “So, a successful execution of the injected commands will not have the target device compromised.”

Moobot is a new botnet family based on Mirai botnet, which targets internet of things (IoT) devices. While most IoT botnets go after gear that may have weak or default passwords, Mootbot stands out for its use of zero-day exploits, researchers said. It’s worth noting that the malware was also seen in March using multiple zero days to target LILIN DVR and IP cameras.

Though it didn’t release details of the second success factor in the kill chain, NetLab 360 recommended that to protect against the threat, users that have fiber-based internet access routers should check and update their device firmware, and check whether there are default accounts that should be disabled.

Jack Mannino, CEO at nVisium, told Threatpost that the focus on routers offers attackers certain advantages.

“Controlling network infrastructure will always be an appealing attacker goal because of the springboard it provides for launching future attacks,” he said. “As a software developer, it’s important to consider that the networks your users access your product from may be compromised, and build this into your threat models. Whether it’s the level of access it provides to network traffic, or the chokepoints and amplifiers for DDoS attacks they present, previous botnets, such as Mirai, gave us a glimpse into what these campaigns can achieve. More security teams focus on their Patch Tuesday fixes than updating the devices they frequently expose directly to the internet.”

Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, A Practical Guide to Securing the Cloud in the Face of Crisis. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. Please register here for this sponsored webinar.