More than 300,000 home and small-office (SOHO) routers have been compromised by hackers and are being used to distribute massive quantities of spam and malware.

Florida-based security firm Team Cymru sounded that alarm Monday in a research report into the router takeovers, which it's been tracking since January. Hacked routers have been found everywhere from the United States to Russia, although the largest quantity were traced to Vietnam, India, Turkey, Thailand, and Columbia.

Team Cymru has shared its findings with multiple law enforcement agencies, and tried to contact all affected manufacturers, which it said include D-Link, Micronet, Tenda, and TP-Link, among others.

The attackers appear to have gained access to the routers by exploiting known flaws in the devices to gain administrative access and change their DNS settings. (Unlike other hacks, whether or not the users kept the routers' default passwords does not seem related to this attack.) For example, some exploited devices were vulnerable to a cross-site request forgery (CSRF) attack, which allowed attackers to inject malicious JavaScript and alter the routers' DNS settings. Others were running firmware with a known flaw that "allows attackers to download the saved configuration file, and thus the administrative credentials, from an unauthenticated URL in the web interface," according to Team Cymru.

[Want to learn more about router vulnerabilities? See D-Link Router Vulnerable To Authentication Bypass.]

Who's behind the 300,000-router takeover campaign? The compromised devices are connecting to two servers -- located at 5.45.75.11 and 5.45.75.36 -- which handle all external DNS requests. Team Cymru spokesman Steve Santorelli told PC Pro that both of those IP addresses are registered to a supposedly London-based company called 3NT Solutions.

Last month, security analyst Conrad Longmore published a blog post reporting that those IP addresses assigned to 3NT Solutions were involved in "something evil." In particular, the company's IP addresses appeared to be associated with a spam campaign distributing "FlashUpdate.apk" Android malware, which as of Tuesday was only being detected by about half of all antivirus scanners on the market. If the malware is executed on a vulnerable Android device, it then downloads a second piece of malware named "Security-Update.apk," which is a Trojan proxy.

About 10 days ago, Longmore traced 3NT's mailing address to a London branch of Mail Boxes Etc., and the address listed in its WHOIS entry to a London-based mail-forwarding service. But based on a lookup of the IP ranges associated with the business, he said it connects with Inferno.name, which has had a reputation for hosting "scammy sites" since 2011. "I had a look into some of 3NT's IP ranges and you can tell instantly from these samples that they are pretty low-grade spammy sites," he said. "What you can't tell from that list are the command and control servers that they run, and of course they also host malware."

Longmore said that while 3NT appears to be based in Serbia, it's also operating sites in Russia and the Ukraine. He noted that "Ukrainian hosts often serve as black-hat hosts for Russian criminals" and that "Serbia and Russia also have close ties."

(Image credit: Wikipedia)

Compromising businesses' routers would allow attackers to channel all external traffic through their own DNS servers and launch man-in-the-middle attacks. Accordingly, one possible motive for the 3NT attack campaign could be to intercept consumers' banking credentials, as happened in a recent router-exploitation campaign that targeted users of five Polish banks, including mBank.

But in this case, the quantity of exploited routers suggests that attackers have a different goal. "The scale of this attack suggests a more traditional criminal intent, such as search result redirection, replacing advertisements, or installing drive-by downloads; all activities that need to be done on a large scale for profitability," according to Team Cymru. "The more manually intensive bank account transfers seen in Poland would be difficult to conduct against such a large and geographically disparate victim group."

The twist with the 300,000-plus compromised routers is that they could have been patched, and related exploits thus blocked. "Our research into this campaign did not uncover new, unknown vulnerabilities. Indeed, some of the techniques and vulnerabilities we observed have been public for well over a year," according to Team Cymru.

As that suggests, the number of routers that run unpatched firmware with known, exploitable vulnerabilities, remains rife. Researchers at security firm Tripwire, for example, recently studied the 50 most popular routers for sale on Amazon.com, and found that 74% of them contained vulnerabilities that

Next Page

1 of 2