Attacks/Breaches
3/4/2014
10:05 AM
50%
50%

Malware-Lobbing Hackers Seize 300,000 Routers

Hackers launch scam and malware campaigns after compromising a variety of routers running firmware with known vulnerabilities.

More than 300,000 home and small-office (SOHO) routers have been compromised by hackers and are being used to distribute massive quantities of spam and malware.

Florida-based security firm Team Cymru sounded that alarm Monday in a research report into the router takeovers, which it's been tracking since January. Hacked routers have been found everywhere from the United States to Russia, although the largest quantity were traced to Vietnam, India, Turkey, Thailand, and Columbia.

Team Cymru has shared its findings with multiple law enforcement agencies, and tried to contact all affected manufacturers, which it said include D-Link, Micronet, Tenda, and TP-Link, among others.

The attackers appear to have gained access to the routers by exploiting known flaws in the devices to gain administrative access and change their DNS settings. (Unlike other hacks, whether or not the users kept the routers' default passwords does not seem related to this attack.) For example, some exploited devices were vulnerable to a cross-site request forgery (CSRF) attack, which allowed attackers to inject malicious JavaScript and alter the routers' DNS settings. Others were running firmware with a known flaw that "allows attackers to download the saved configuration file, and thus the administrative credentials, from an unauthenticated URL in the web interface," according to Team Cymru.

[Want to learn more about router vulnerabilities? See D-Link Router Vulnerable To Authentication Bypass.]

Who's behind the 300,000-router takeover campaign? The compromised devices are connecting to two servers -- located at 5.45.75.11 and 5.45.75.36 -- which handle all external DNS requests. Team Cymru spokesman Steve Santorelli told PC Pro that both of those IP addresses are registered to a supposedly London-based company called 3NT Solutions.

Last month, security analyst Conrad Longmore published a blog post reporting that those IP addresses assigned to 3NT Solutions were involved in "something evil." In particular, the company's IP addresses appeared to be associated with a spam campaign distributing "FlashUpdate.apk" Android malware, which as of Tuesday was only being detected by about half of all antivirus scanners on the market. If the malware is executed on a vulnerable Android device, it then downloads a second piece of malware named "Security-Update.apk," which is a Trojan proxy.

About 10 days ago, Longmore traced 3NT's mailing address to a London branch of Mail Boxes Etc., and the address listed in its WHOIS entry to a London-based mail-forwarding service. But based on a lookup of the IP ranges associated with the business, he said it connects with Inferno.name, which has had a reputation for hosting "scammy sites" since 2011. "I had a look into some of 3NT's IP ranges and you can tell instantly from these samples that they are pretty low-grade spammy sites," he said. "What you can't tell from that list are the command and control servers that they run, and of course they also host malware."

Longmore said that while 3NT appears to be based in Serbia, it's also operating sites in Russia and the Ukraine. He noted that "Ukrainian hosts often serve as black-hat hosts for Russian criminals" and that "Serbia and Russia also have close ties."

(Image credit: Wikipedia)
(Image credit: Wikipedia)

Compromising businesses' routers would allow attackers to channel all external traffic through their own DNS servers and launch man-in-the-middle attacks. Accordingly, one possible motive for the 3NT attack campaign could be to intercept consumers' banking credentials, as happened in a recent router-exploitation campaign that targeted users of five Polish banks, including mBank.

But in this case, the quantity of exploited routers suggests that attackers have a different goal. "The scale of this attack suggests a more traditional criminal intent, such as search result redirection, replacing advertisements, or installing drive-by downloads; all activities that need to be done on a large scale for profitability," according to Team Cymru. "The more manually intensive bank account transfers seen in Poland would be difficult to conduct against such a large and geographically disparate victim group."

The twist with the 300,000-plus compromised routers is that they could have been patched, and related exploits thus blocked. "Our research into this campaign did not uncover new, unknown vulnerabilities. Indeed, some of the techniques and vulnerabilities we observed have been public for well over a year," according to Team Cymru.

As that suggests, the number of routers that run unpatched firmware with known, exploitable vulnerabilities, remains rife. Researchers at security firm Tripwire, for example, recently studied the 50 most popular routers for sale on Amazon.com, and found that 74% of them contained vulnerabilities that

Next Page

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/5/2014 | 9:42:40 AM
Just the beginning?
"The large number of vulnerabilities found -- and exploited -- in SOHO routers, as well as webcams, will likely soon be joined by the mass exploitation of Internet-connected thermostats, electronic locks, and home automation equipment."

This is really a scary thought. If router manufacturers aren't proactively hardening equipment they sell to the the SOHO market, it's hard to imagine that the IoT products in the pipeline will be any more secure.

 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.