Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Malware-Lobbing Hackers Seize 300,000 Routers

Hackers launch scam and malware campaigns after compromising a variety of routers running firmware with known vulnerabilities.

More than 300,000 home and small-office (SOHO) routers have been compromised by hackers and are being used to distribute massive quantities of spam and malware.

Florida-based security firm Team Cymru sounded that alarm Monday in a research report into the router takeovers, which it's been tracking since January. Hacked routers have been found everywhere from the United States to Russia, although the largest quantity were traced to Vietnam, India, Turkey, Thailand, and Columbia.

Team Cymru has shared its findings with multiple law enforcement agencies, and tried to contact all affected manufacturers, which it said include D-Link, Micronet, Tenda, and TP-Link, among others.

The attackers appear to have gained access to the routers by exploiting known flaws in the devices to gain administrative access and change their DNS settings. (Unlike other hacks, whether or not the users kept the routers' default passwords does not seem related to this attack.) For example, some exploited devices were vulnerable to a cross-site request forgery (CSRF) attack, which allowed attackers to inject malicious JavaScript and alter the routers' DNS settings. Others were running firmware with a known flaw that "allows attackers to download the saved configuration file, and thus the administrative credentials, from an unauthenticated URL in the web interface," according to Team Cymru.

[Want to learn more about router vulnerabilities? See D-Link Router Vulnerable To Authentication Bypass.]

Who's behind the 300,000-router takeover campaign? The compromised devices are connecting to two servers -- located at 5.45.75.11 and 5.45.75.36 -- which handle all external DNS requests. Team Cymru spokesman Steve Santorelli told PC Pro that both of those IP addresses are registered to a supposedly London-based company called 3NT Solutions.

Last month, security analyst Conrad Longmore published a blog post reporting that those IP addresses assigned to 3NT Solutions were involved in "something evil." In particular, the company's IP addresses appeared to be associated with a spam campaign distributing "FlashUpdate.apk" Android malware, which as of Tuesday was only being detected by about half of all antivirus scanners on the market. If the malware is executed on a vulnerable Android device, it then downloads a second piece of malware named "Security-Update.apk," which is a Trojan proxy.

About 10 days ago, Longmore traced 3NT's mailing address to a London branch of Mail Boxes Etc., and the address listed in its WHOIS entry to a London-based mail-forwarding service. But based on a lookup of the IP ranges associated with the business, he said it connects with Inferno.name, which has had a reputation for hosting "scammy sites" since 2011. "I had a look into some of 3NT's IP ranges and you can tell instantly from these samples that they are pretty low-grade spammy sites," he said. "What you can't tell from that list are the command and control servers that they run, and of course they also host malware."

Longmore said that while 3NT appears to be based in Serbia, it's also operating sites in Russia and the Ukraine. He noted that "Ukrainian hosts often serve as black-hat hosts for Russian criminals" and that "Serbia and Russia also have close ties."

(Image credit: Wikipedia)
(Image credit: Wikipedia)

Compromising businesses' routers would allow attackers to channel all external traffic through their own DNS servers and launch man-in-the-middle attacks. Accordingly, one possible motive for the 3NT attack campaign could be to intercept consumers' banking credentials, as happened in a recent router-exploitation campaign that targeted users of five Polish banks, including mBank.

But in this case, the quantity of exploited routers suggests that attackers have a different goal. "The scale of this attack suggests a more traditional criminal intent, such as search result redirection, replacing advertisements, or installing drive-by downloads; all activities that need to be done on a large scale for profitability," according to Team Cymru. "The more manually intensive bank account transfers seen in Poland would be difficult to conduct against such a large and geographically disparate victim group."

The twist with the 300,000-plus compromised routers is that they could have been patched, and related exploits thus blocked. "Our research into this campaign did not uncover new, unknown vulnerabilities. Indeed, some of the techniques and vulnerabilities we observed have been public for well over a year," according to Team Cymru.

As that suggests, the number of routers that run unpatched firmware with known, exploitable vulnerabilities, remains rife. Researchers at security firm Tripwire, for example, recently studied the 50 most popular routers for sale on Amazon.com, and found that 74% of them contained vulnerabilities that

Next Page

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/5/2014 | 9:42:40 AM
Just the beginning?
"The large number of vulnerabilities found -- and exploited -- in SOHO routers, as well as webcams, will likely soon be joined by the mass exploitation of Internet-connected thermostats, electronic locks, and home automation equipment."

This is really a scary thought. If router manufacturers aren't proactively hardening equipment they sell to the the SOHO market, it's hard to imagine that the IoT products in the pipeline will be any more secure.

 
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15132
PUBLISHED: 2019-08-17
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocki...
CVE-2019-15133
PUBLISHED: 2019-08-17
In GIFLIB before 2019-02-16, a malformed GIF file triggers a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero.
CVE-2019-15134
PUBLISHED: 2019-08-17
RIOT through 2019.07 contains a memory leak in the TCP implementation (gnrc_tcp), allowing an attacker to consume all memory available for network packets and thus effectively stopping all network threads from working. This is related to _receive in sys/net/gnrc/transport_layer/tcp/gnrc_tcp_eventloo...
CVE-2019-14937
PUBLISHED: 2019-08-17
REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user's login sessionid from the database, and then re-login into REDCap to compromise all data.
CVE-2019-13069
PUBLISHED: 2019-08-17
extenua SilverSHielD 6.x fails to secure its ProgramData folder, leading to a Local Privilege Escalation to SYSTEM. The attacker must replace SilverShield.config.sqlite with a version containing an additional user account, and then use SSH and port forwarding to reach a 127.0.0.1 service.