Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Widespread Attack Campaign Highlights Router Security Woes

Researchers at Team Cymru have detailed a massive compromise of small office/home office (SOHO) routers throughout Europe and Asia and shined a light on the security of devices that are sometimes overlooked.

Researchers at Team Cymru have detailed a massive compromise of small office/home office (SOHO) routers throughout Europe and Asia and shined a light on the security of devices that are sometimes overlooked.

According to Team Cymru, the attackers are altering the domain name system (DNS) settings on devices to redirect victims to IP addresses and domains under their control. Believed to have impacted more than 300,000 routers from TP-Link, D-Link and others, the attack campaign underscores a particularly dangerous attack vector for users.

“We have been collecting SOHO router attacks in the Metasploit Framework for many, many months now, and have been predicting a steep rise in criminal activity in this area over the same period,” said Tod Beardsley, engineer manager at Rapid7. “It was only a matter of time before these woefully out of date, and often difficult to patch, devices became primary targets for criminal enterprise.”

It is far from the first time routers have been targeted by attackers. The SANS Institute warned about the spread of a worm targeting Linksys routers. But even in 2011, researchers at Kaspersky Lab observed a widespread attack in Brazil that affected 4.5 million devices.

“It’s becoming common, but still not known from the public,” Fabio Assolini, security researcher at Kaspersky Lab, said of router attacks. 

The situation described by Team Cymru is sophisticated because it is silent and remote, and the perpetrator can prepare a crawler to scan a certain IP range to find vulnerable devices and attack, Assolini explained. 

“All they need is a vulnerability not fixed by the network device manufacturer or finding an outdated device, running and old firmware,” he said.

In January 2014, Team Cymru’s Enterprise Intelligence Services began investigating a SOHO pharming campaign that had overwritten router DNS settings in central Europe. To date, 300,000 devices have been identified around the world compromised as part of this campaign, one which dates back to at least mid-December of 2013. The affected devices had their DNS settings changed to use the IP addresses 5.45.75.11 and 5.45.75.36.

Advertisement. Scroll to continue reading.

Most of these devices are located in Vietnam; however others are located in Italy, India and Thailand.

“The affected devices we observed were vulnerable to multiple exploit techniques including a recently disclosed authentication bypass vulnerability in ZyXEL firmware and cross-site request forgery techniques similar to those reported in late 2013,” according to the Team Cymru paper.

“Because of the ubiquity of factory default settings on SOHO devices, some are vulnerable to simple password guessing,” according to the report. “We observed many of the devices communicating with suspicious DNS servers had graphical user interfaces that [were] accessible from the Internet, and thus vulnerable to simple brute force log-on attempts. A considerable number of remotely accessible devices appeared vulnerable to the “ROM-0” vulnerability published in early January. This vulnerability in ZyXEL’s ZynOS allows attackers to download the router’s configuration file from the unauthenticated GUI URL: http://[IP address]/rom-0. While the resulting ROM-0 file still has to be decompressed, this process is trivial with available tools, and automated attack scripts are available online which explicitly call out the ability to change DNS settings.”

Organizations should urge their customers and external partners review their local router settings and security policies and disable remote user mode administration features, Team Cymru recommends. Command line configuration of devices should be used where possible.

“The absolute easiest thing users of SOHO devices can do to help protect themselves is to figure out non-factory-default settings for their routers,” Beardsley said. “First and foremost, that means changing passwords and writing those passwords down in a reasonable secure location, like on the underside of the router – this assumes the attacker isn’t “calling from inside the house.”

“To avoid the [cross-site request forgery] attacks documented by Team Cymru in specific, the easiest route to avoiding compromise is to also change the default network settings,” he said. “Ninety-nine percent of SOHO routers use 192.168.1.0/24 or 172.16.0.0/16 or 10.0.0.0/8, with a router address of 192.168.1.1, 172.16.1.1 or 10.1.1.1 respectively. Simply changing the network to something more restricted (172.16.100.0/24, for example), and the router address to something a little weird like 172.16.100.100, makes automated attacks that use CSRF to send commands to the router much more difficult to pull off.”

The attack is another example of consumers being surrounded by devices they don’t think of as computers, said Patrick Thomas, security consultant at Neohapsis. All of the security concerns with normal desktop computers exist with these devices, but neither consumers nor manufacturers have adjusted to thinking this way, he said.

“Microsoft didn’t get a handle on the security of the Windows ecosystem until they had solid automatic updates,” he said. “Similarly, web browsers and their plugins were a security nightmare until all of the major browser vendors rolled out reliable auto-update approaches. In general, consumers lack the expertise and initiative to manually maintain software versions on their devices, so the onus is on vendors to build sane updating into anything that might possibly need it.” 

For most home users, routers are a ‘set it and forget it’ type of device, said Jaeson Schultz, a researcher with Cisco’s Security Threat Research, Analysis and Communications (TRAC) team.

“Only when things aren’t working correctly do users even notice,” he said. “There is also no easy mechanism for the router manufacturers to notify users of security vulnerabilities. Because of this…routers can lag other devices in terms of proper security update application.

*This story was updated with additional commentary.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.