Malicious hackers are mass exploiting a critical vulnerability in D-Link DSL routers in an attempt to make them part of Satori, the potent Internet-of-things botnet that is used to take down websites and mine digital coins, researchers said.
Since making its debut late last year, Satori has proven to be a particularly versatile and sophisticated botnet. It made a name for itself in December when it infected more than 100,000 Internet-connected devices in just 12 hours by exploiting remote code-execution vulnerabilities in Huawei and RealTek routers. A month later, Satori operators released a new version that infected devices used to mine digital coins, proving that the IoT botnet could also take control of more traditional computing devices. In February, Satori resurfaced when it infected tens of thousands of routers manufactured by Dasan Networks.
Over the past five days, researchers said, Satori has started mass exploiting a critical vulnerability in the D-Link DSL 2750B, a combination router and DSL modem that’s used by subscribers of Verizon and other ISPs. Attack code exploiting the two-year-old remote code-execution vulnerability was published last month, although Satori’s customized payload delivers a worm. That means infections can spread from device to device with no end-user interaction required. D-Link’s website doesn’t show a patch being available for the unindexed vulnerability, and D-Link representatives didn’t respond to an email seeking comment for this post.
Researchers with Netlab 360 first reported Satori was exploiting the D-Link vulnerability in a blog post published Friday. They also said Satori had started exploiting a vulnerability in a router made by XiongMai. On Tuesday, researchers from Radware reported seeing an “exponential increase in the number of attack sources” for attacks on both the D-Link and XiongMai devices.