Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Malware-Lobbing Hackers Seize 300,000 Routers

Hackers launch scam and malware campaigns after compromising a variety of routers running firmware with known vulnerabilities.

More than 300,000 home and small-office (SOHO) routers have been compromised by hackers and are being used to distribute massive quantities of spam and malware.

Florida-based security firm Team Cymru sounded that alarm Monday in a research report into the router takeovers, which it's been tracking since January. Hacked routers have been found everywhere from the United States to Russia, although the largest quantity were traced to Vietnam, India, Turkey, Thailand, and Columbia.

Team Cymru has shared its findings with multiple law enforcement agencies, and tried to contact all affected manufacturers, which it said include D-Link, Micronet, Tenda, and TP-Link, among others.

The attackers appear to have gained access to the routers by exploiting known flaws in the devices to gain administrative access and change their DNS settings. (Unlike other hacks, whether or not the users kept the routers' default passwords does not seem related to this attack.) For example, some exploited devices were vulnerable to a cross-site request forgery (CSRF) attack, which allowed attackers to inject malicious JavaScript and alter the routers' DNS settings. Others were running firmware with a known flaw that "allows attackers to download the saved configuration file, and thus the administrative credentials, from an unauthenticated URL in the web interface," according to Team Cymru.

[Want to learn more about router vulnerabilities? See D-Link Router Vulnerable To Authentication Bypass.]

Who's behind the 300,000-router takeover campaign? The compromised devices are connecting to two servers -- located at 5.45.75.11 and 5.45.75.36 -- which handle all external DNS requests. Team Cymru spokesman Steve Santorelli told PC Pro that both of those IP addresses are registered to a supposedly London-based company called 3NT Solutions.

Last month, security analyst Conrad Longmore published a blog post reporting that those IP addresses assigned to 3NT Solutions were involved in "something evil." In particular, the company's IP addresses appeared to be associated with a spam campaign distributing "FlashUpdate.apk" Android malware, which as of Tuesday was only being detected by about half of all antivirus scanners on the market. If the malware is executed on a vulnerable Android device, it then downloads a second piece of malware named "Security-Update.apk," which is a Trojan proxy.

About 10 days ago, Longmore traced 3NT's mailing address to a London branch of Mail Boxes Etc., and the address listed in its WHOIS entry to a London-based mail-forwarding service. But based on a lookup of the IP ranges associated with the business, he said it connects with Inferno.name, which has had a reputation for hosting "scammy sites" since 2011. "I had a look into some of 3NT's IP ranges and you can tell instantly from these samples that they are pretty low-grade spammy sites," he said. "What you can't tell from that list are the command and control servers that they run, and of course they also host malware."

Longmore said that while 3NT appears to be based in Serbia, it's also operating sites in Russia and the Ukraine. He noted that "Ukrainian hosts often serve as black-hat hosts for Russian criminals" and that "Serbia and Russia also have close ties."

(Image credit: Wikipedia)
(Image credit: Wikipedia)

Compromising businesses' routers would allow attackers to channel all external traffic through their own DNS servers and launch man-in-the-middle attacks. Accordingly, one possible motive for the 3NT attack campaign could be to intercept consumers' banking credentials, as happened in a recent router-exploitation campaign that targeted users of five Polish banks, including mBank.

But in this case, the quantity of exploited routers suggests that attackers have a different goal. "The scale of this attack suggests a more traditional criminal intent, such as search result redirection, replacing advertisements, or installing drive-by downloads; all activities that need to be done on a large scale for profitability," according to Team Cymru. "The more manually intensive bank account transfers seen in Poland would be difficult to conduct against such a large and geographically disparate victim group."

The twist with the 300,000-plus compromised routers is that they could have been patched, and related exploits thus blocked. "Our research into this campaign did not uncover new, unknown vulnerabilities. Indeed, some of the techniques and vulnerabilities we observed have been public for well over a year," according to Team Cymru.

As that suggests, the number of routers that run unpatched firmware with known, exploitable vulnerabilities, remains rife. Researchers at security firm Tripwire, for example, recently studied the 50 most popular routers for sale on Amazon.com, and found that 74% of them contained vulnerabilities that

Next Page

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/5/2014 | 9:42:40 AM
Just the beginning?
"The large number of vulnerabilities found -- and exploited -- in SOHO routers, as well as webcams, will likely soon be joined by the mass exploitation of Internet-connected thermostats, electronic locks, and home automation equipment."

This is really a scary thought. If router manufacturers aren't proactively hardening equipment they sell to the the SOHO market, it's hard to imagine that the IoT products in the pipeline will be any more secure.

 
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...