News of a backdoor in routers produced by China-based networking solutions provider Netis Systems might be of the past, but the vulnerability is part of the present: tens of millions of attempts to scan for the backdoor have been registered since August, Trend Micro researchers warn.
Over two years ago, routers produced by Netis Systems, part of the Netcore Group, were revealed to be exposed by a backdoor that would provide an attacker with complete control over the device. The attacker only needed to know the router’s external IP address and could gain access to it through the UDP port 53413, after which they could access the backdoor by entering a password hardcoded in the firmware.
With full control over the affected devices, an attacker could modify settings to carry out man-in-the-middle attacks and could perform other nefarious activities as well, security researchers warned. What’s more, the documentation attached to the routers didn’t mention anything about the backdoor and how it could be used, researchers said at the time.
Now, Trend Micro says that the backdoor continues to be used, based on data gathered by one of its TippingPoint Digital Vaccine (DV) filters. DV filter 32391, designed to check for any attempt to scan for this specific backdoor, shows a massive amount of backdoor communication attempts.
The security firm’s reporting dashboard known as ThreatLinQ has detected around 2.9 million hits since the filter was released in August of 2016, Trend Micro’s Steve Povolny explains. He also underlines that these statistics are based on approximately 5% of customer filter hits, meaning that over 57 million events have been registered in the timeframe.
The security researchers decided to analyze the pcaps from the TippingPoint devices and discovered that all of them are true positives. Thus, they decided to deepen their search and discovered a number of public exploit or scanning tools designed to leverage this backdoor functionality specifically.
Povolny also notes that they detected nearly 50,000 events on a single IPS in the last week, and that most of them originated from the UK (40,000 hits). Most of the remainder hits came from China and North Korea, and the security researcher says that this data can be retrieved directly from the SMS dashboard.
“What this highlights is an active campaign of world-wide scanning across the IPv4 space, looking for Internet-accessible routers that respond to the backdoor probe. Given the length of this campaign and the sheer volume, not to mention the ease of exploitation, it’s very likely that a large number of these routers are being compromised and used for nefarious purposes such as man-in-the middle attacks,” Povolny explains.
Netis released a patch for the backdoor a while back, but flaws in implementation and the fact that the backdoor code itself has not been removed render impacted devices vulnerable still.
