Connect with us

Hi, what are you looking for?



Widespread Attack Campaign Highlights Router Security Woes

Researchers at Team Cymru have detailed a massive compromise of small office/home office (SOHO) routers throughout Europe and Asia and shined a light on the security of devices that are sometimes overlooked.

Researchers at Team Cymru have detailed a massive compromise of small office/home office (SOHO) routers throughout Europe and Asia and shined a light on the security of devices that are sometimes overlooked.

According to Team Cymru, the attackers are altering the domain name system (DNS) settings on devices to redirect victims to IP addresses and domains under their control. Believed to have impacted more than 300,000 routers from TP-Link, D-Link and others, the attack campaign underscores a particularly dangerous attack vector for users.

“We have been collecting SOHO router attacks in the Metasploit Framework for many, many months now, and have been predicting a steep rise in criminal activity in this area over the same period,” said Tod Beardsley, engineer manager at Rapid7. “It was only a matter of time before these woefully out of date, and often difficult to patch, devices became primary targets for criminal enterprise.”

It is far from the first time routers have been targeted by attackers. The SANS Institute warned about the spread of a worm targeting Linksys routers. But even in 2011, researchers at Kaspersky Lab observed a widespread attack in Brazil that affected 4.5 million devices.

“It’s becoming common, but still not known from the public,” Fabio Assolini, security researcher at Kaspersky Lab, said of router attacks. 

The situation described by Team Cymru is sophisticated because it is silent and remote, and the perpetrator can prepare a crawler to scan a certain IP range to find vulnerable devices and attack, Assolini explained. 

“All they need is a vulnerability not fixed by the network device manufacturer or finding an outdated device, running and old firmware,” he said.

Advertisement. Scroll to continue reading.

In January 2014, Team Cymru’s Enterprise Intelligence Services began investigating a SOHO pharming campaign that had overwritten router DNS settings in central Europe. To date, 300,000 devices have been identified around the world compromised as part of this campaign, one which dates back to at least mid-December of 2013. The affected devices had their DNS settings changed to use the IP addresses and

Most of these devices are located in Vietnam; however others are located in Italy, India and Thailand.

“The affected devices we observed were vulnerable to multiple exploit techniques including a recently disclosed authentication bypass vulnerability in ZyXEL firmware and cross-site request forgery techniques similar to those reported in late 2013,” according to the Team Cymru paper.

“Because of the ubiquity of factory default settings on SOHO devices, some are vulnerable to simple password guessing,” according to the report. “We observed many of the devices communicating with suspicious DNS servers had graphical user interfaces that [were] accessible from the Internet, and thus vulnerable to simple brute force log-on attempts. A considerable number of remotely accessible devices appeared vulnerable to the “ROM-0” vulnerability published in early January. This vulnerability in ZyXEL’s ZynOS allows attackers to download the router’s configuration file from the unauthenticated GUI URL: http://[IP address]/rom-0. While the resulting ROM-0 file still has to be decompressed, this process is trivial with available tools, and automated attack scripts are available online which explicitly call out the ability to change DNS settings.”

Organizations should urge their customers and external partners review their local router settings and security policies and disable remote user mode administration features, Team Cymru recommends. Command line configuration of devices should be used where possible.

“The absolute easiest thing users of SOHO devices can do to help protect themselves is to figure out non-factory-default settings for their routers,” Beardsley said. “First and foremost, that means changing passwords and writing those passwords down in a reasonable secure location, like on the underside of the router – this assumes the attacker isn’t “calling from inside the house.”

“To avoid the [cross-site request forgery] attacks documented by Team Cymru in specific, the easiest route to avoiding compromise is to also change the default network settings,” he said. “Ninety-nine percent of SOHO routers use or or, with a router address of, or respectively. Simply changing the network to something more restricted (, for example), and the router address to something a little weird like, makes automated attacks that use CSRF to send commands to the router much more difficult to pull off.”

The attack is another example of consumers being surrounded by devices they don’t think of as computers, said Patrick Thomas, security consultant at Neohapsis. All of the security concerns with normal desktop computers exist with these devices, but neither consumers nor manufacturers have adjusted to thinking this way, he said.

“Microsoft didn’t get a handle on the security of the Windows ecosystem until they had solid automatic updates,” he said. “Similarly, web browsers and their plugins were a security nightmare until all of the major browser vendors rolled out reliable auto-update approaches. In general, consumers lack the expertise and initiative to manually maintain software versions on their devices, so the onus is on vendors to build sane updating into anything that might possibly need it.” 

For most home users, routers are a ‘set it and forget it’ type of device, said Jaeson Schultz, a researcher with Cisco’s Security Threat Research, Analysis and Communications (TRAC) team.

“Only when things aren’t working correctly do users even notice,” he said. “There is also no easy mechanism for the router manufacturers to notify users of security vulnerabilities. Because of this…routers can lag other devices in terms of proper security update application.

*This story was updated with additional commentary.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.