300,000 routers hijacked, modified in malicious attack

[Scorpus]

Another malicious router attack has been uncovered by researchers, which so far has affected over 300,000 home and small-office routers from manufacturers including D-Link, TP-Link, Micronet and Tenda. Hackers have successfully compromised the routers in question and changed DNS server settings, which can lead to serious consequences.

According to Team Cymru, who published details of the attack on Monday, a variety of techniques have been used to access and modify the settings of the routers in question. Specifically, hackers may have used a cross-site request forgery (CSRF) attack to automatically change DNS settings after web interface passwords are set to blank. Another vulnerability gives attackers access to configuration files through an unauthenticated URL.

Attacks such as this are only possible thanks to vulnerabilities in the router's firmware. Team Cymru reports that most users affected by the attack reside in Vietnam, India and Italy - countries where ISPs likely supply affected routers - although some United States users were also hit.

Any routers compromised by the hackers in question have had their DNS servers changed to 5.45.75.11 and 5.45.75.36, which opens the doors to malicious activity. For example, the attackers could direct online banking traffic to booby-trapped websites designed to steal credentials, or malicious software could be unwittingly downloaded.

Team Cymru notes similarities between this attack and another recent attack targeting Polish customers, when hackers modified DNS settings to redirect users to false websites where banking details were stolen. However due to the scale of this attack, Team Cymru believes attackers had a "more traditional criminal intent" to perform activities "such as search result redirection, replacing advertisements, or installing drive-by downloads."

This effort to compromise routers comes shortly after several others, including one that saw files on drives connected to Asus routers accessed by hackers, and a worm that compromised thousands of Linksys devices.

Permalink to story.

https://www.techspot.com/news/55874-300000-routers-hijacked-modified-in-malicious-attack.html

 

[Cycloid Torus]

Can anyone direct me to the best mitigation strategies? My guess is check the router & use strong password, but that I am sure is incomplete and woefully inadequate.

 

[wastedkill]

Can anyone direct me to the best mitigation strategies? My guess is check the router & use strong password, but that I am sure is incomplete and woefully inadequate.

I would say use custom firmware as then you know exactly what is being change on the router as well as what kind of security the router will then have plus custom firmware like the tomato mod seems to be doing very nicely.

 

[cartera]

Disable remote access to the router or use a different username and strong password and change the access port number. Also as wastedkill said, use custom firmware but use the first advice also.

 

[wastedkill]

Disable remote access to the router or use a different username and strong password and change the access port number. Also as wastedkill said, use custom firmware but use the first advice also.

Lets not forget disable FTP entirely on the router as well.

 

[tipstir]

You can always pull the ISP cord out before you go to bed. All home routers have all sorts of holes. You can disable VPN tunnel, FTP, Remote etc..

 

[tonylukac]

It's difficult to use other than default passwords when trying to repair other's routers like I do. They say this hack doesn't matter what the password is. I was never able to sign on to any of my routers remotely nor without knowing the wifi password, so I think when worrying we should give ease of repair a chance. Very often users have no clue.

 

[cartera]

It's difficult to use other than default passwords when trying to repair other's routers like I do. They say this hack doesn't matter what the password is. I was never able to sign on to any of my routers remotely nor without knowing the wifi password, so I think when worrying we should give ease of repair a chance. Very often users have no clue.

Not sure if you missed a step, I was talking about the password to access the routers remote administration page not the wifi password, 99% of home users do not use or need remote access. The wifi password has nothing to do with this the hackers are likely to be on the other side of the world rather than next door.

I agree with your last sentence though

 

[wujj123456]

It's difficult to use other than default passwords when trying to repair other's routers like I do. They say this hack doesn't matter what the password is. I was never able to sign on to any of my routers remotely nor without knowing the wifi password, so I think when worrying we should give ease of repair a chance. Very often users have no clue.

Printing a random default password on the router label could work for repair, but will have much better security against remote hackers. I really hope every vendor who produce equipments could follow this rule. Or encrypt/hash the factory mac address with some private key only vendor knows if keeping a database of default passwords are too expensive. (That's like image signing in our smartphone). Techniques are there for a long time, just vendors choose not to do it, which is really sad.

 

[Mbloof]

While an "alarming" sounding article, if you click through to the ACTUAL data the report authors don't break down how many of the 300K "compromised routers" were 'attacked' via an open to the internet facing (remote) admin/config interface and/or via surfing by a roge website which installed javascript which ether read the stored login credentials or hacked weak or default admin passwords to gain access to the routers configuration pages on the LAN side.

Clearly some 'social engineering' involved to direct enough users to the rogue website which contained the java/javascript code used to gain access to the routers in question.

Moral(s): Always do extensive firewall testing of a new router before putting in service, never ever have remote access to your routers configuration page enabled, never allow your browser to save webforms or auto fill in passwords for you, always use strong passwords, never use a routers default configuration and last but not least: java, javascript and flash are security risks that are easily avoided and +90% of the web can be used without.

Considering the countless millions of routers out in the 'wild' the 300K represents a very small percentage but worth noting as many of the OEM's involved sell models for the US.