Attacks/Breaches
3/4/2014
10:05 AM
Connect Directly
RSS
E-Mail
50%
50%

Malware-Lobbing Hackers Seize 300,000 Routers

Hackers launch scam and malware campaigns after compromising a variety of routers running firmware with known vulnerabilities.

More than 300,000 home and small-office (SOHO) routers have been compromised by hackers and are being used to distribute massive quantities of spam and malware.

Florida-based security firm Team Cymru sounded that alarm Monday in a research report into the router takeovers, which it's been tracking since January. Hacked routers have been found everywhere from the United States to Russia, although the largest quantity were traced to Vietnam, India, Turkey, Thailand, and Columbia.

Team Cymru has shared its findings with multiple law enforcement agencies, and tried to contact all affected manufacturers, which it said include D-Link, Micronet, Tenda, and TP-Link, among others.

The attackers appear to have gained access to the routers by exploiting known flaws in the devices to gain administrative access and change their DNS settings. (Unlike other hacks, whether or not the users kept the routers' default passwords does not seem related to this attack.) For example, some exploited devices were vulnerable to a cross-site request forgery (CSRF) attack, which allowed attackers to inject malicious JavaScript and alter the routers' DNS settings. Others were running firmware with a known flaw that "allows attackers to download the saved configuration file, and thus the administrative credentials, from an unauthenticated URL in the web interface," according to Team Cymru.

[Want to learn more about router vulnerabilities? See D-Link Router Vulnerable To Authentication Bypass.]

Who's behind the 300,000-router takeover campaign? The compromised devices are connecting to two servers -- located at 5.45.75.11 and 5.45.75.36 -- which handle all external DNS requests. Team Cymru spokesman Steve Santorelli told PC Pro that both of those IP addresses are registered to a supposedly London-based company called 3NT Solutions.

Last month, security analyst Conrad Longmore published a blog post reporting that those IP addresses assigned to 3NT Solutions were involved in "something evil." In particular, the company's IP addresses appeared to be associated with a spam campaign distributing "FlashUpdate.apk" Android malware, which as of Tuesday was only being detected by about half of all antivirus scanners on the market. If the malware is executed on a vulnerable Android device, it then downloads a second piece of malware named "Security-Update.apk," which is a Trojan proxy.

About 10 days ago, Longmore traced 3NT's mailing address to a London branch of Mail Boxes Etc., and the address listed in its WHOIS entry to a London-based mail-forwarding service. But based on a lookup of the IP ranges associated with the business, he said it connects with Inferno.name, which has had a reputation for hosting "scammy sites" since 2011. "I had a look into some of 3NT's IP ranges and you can tell instantly from these samples that they are pretty low-grade spammy sites," he said. "What you can't tell from that list are the command and control servers that they run, and of course they also host malware."

Longmore said that while 3NT appears to be based in Serbia, it's also operating sites in Russia and the Ukraine. He noted that "Ukrainian hosts often serve as black-hat hosts for Russian criminals" and that "Serbia and Russia also have close ties."

(Image credit: Wikipedia)
(Image credit: Wikipedia)

Compromising businesses' routers would allow attackers to channel all external traffic through their own DNS servers and launch man-in-the-middle attacks. Accordingly, one possible motive for the 3NT attack campaign could be to intercept consumers' banking credentials, as happened in a recent router-exploitation campaign that targeted users of five Polish banks, including mBank.

But in this case, the quantity of exploited routers suggests that attackers have a different goal. "The scale of this attack suggests a more traditional criminal intent, such as search result redirection, replacing advertisements, or installing drive-by downloads; all activities that need to be done on a large scale for profitability," according to Team Cymru. "The more manually intensive bank account transfers seen in Poland would be difficult to conduct against such a large and geographically disparate victim group."

The twist with the 300,000-plus compromised routers is that they could have been patched, and related exploits thus blocked. "Our research into this campaign did not uncover new, unknown vulnerabilities. Indeed, some of the techniques and vulnerabilities we observed have been public for well over a year," according to Team Cymru.

As that suggests, the number of routers that run unpatched firmware with known, exploitable vulnerabilities, remains rife. Researchers at security firm Tripwire, for example, recently studied the 50 most popular routers for sale on Amazon.com, and found that 74% of them contained vulnerabilities that

Next Page

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/5/2014 | 9:42:40 AM
Just the beginning?
"The large number of vulnerabilities found -- and exploited -- in SOHO routers, as well as webcams, will likely soon be joined by the mass exploitation of Internet-connected thermostats, electronic locks, and home automation equipment."

This is really a scary thought. If router manufacturers aren't proactively hardening equipment they sell to the the SOHO market, it's hard to imagine that the IoT products in the pipeline will be any more secure.

 
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.