300,000 Compromised Routers Redirecting Traffic to Attacker Sites

More than 300,000 home and small office routers were compromised in large-scale attacks that altered DNS configurations and redirected traffic to attacker-controlled sites.

More than 300,000 small office and home office routers, most in Europe and Asia, were compromised in a campaign that started in mid-December, continuing a rash of security incidents involving home and small business networking equipment.

Researchers at Team Cymru published a report today on the pharming attacks. The attackers are overwriting DNS settings on the devices and redirecting DNS requests to attacker-controlled sites via extensive man-in-the-middle attacks.

Routers from a number of manufacturers, including TP-Link, D-Link, Micronet, Tenda, and others, are involved and victims are concentrated in Vietnam, India, Italy and Thailand. Team Cymru said it notified the affected vendors, none of which responded to its outreach. In addition, the researchers said they had notified law enforcement.

The researchers identified the IP addresses involved: 5[.]45[.]75[.]11 and 5[.]45[.]75[.]36. Since the routers’ primary DNS IP addresses are overwritten in the attacks, the victims are susceptible to denial of service if the attackers’ servers are taken down, Team Cymru said.

The attacks were detected in January on several TP-Link routers redirecting victims to the two IP addresses; the TP-Link routers were not accessible via default passwords, Team Cymru said. Instead, the hackers exploited a cross-site request forgery vulnerability on the devices and a version of the ZyXEL ZynOS firmware that was vulnerable to attacks where a hacker would be able to download a saved configuration file that included admin credentials from a URL in the web interface that did not require authentication.

Team Cymru said it observed more than 300,000 unique IP addresses sending DNS requests to the attack servers, which were acting as open resolvers, thus responding to any external request.

The researchers said in the report that the campaigns are similar to the attacks against a number of banks in Poland recently, but are likely being conducted by separate hacker groups. Poland’s mBank was targeted by similar DNS redirection attacks, which attackers used to steal credentials for online accounts. In those attacks, SMS messages were sent to victims, enticing them to approve transfers to the attackers’ accounts. The IP addresses involved in the mBank attacks were 95[.]211[.]241[.]94 and 95[.]211[.]205[.]5. Unlike the latest router attacks, only 80 or so were observed by Team Cymru.

“The scale of this attack suggests a more traditional criminal intent, such as search result redirection, replacing advertisements, or installing drive-by downloads; all activities that need to be done on a large scale for profitability. The more manually-intensive bank account transfers seen in Poland would be difficult to conduct against such a large and geographically-disparate victim group,” the report said.

Attackers have been targeting home networking gear with relative success for a bit of time now. The most recent incident was the so-called Moon worm identified by the SANS Institute. Moon spread over Linksys home and SMB routers, exploiting a CGI script vulnerability that allowed it to spread over the HNAP protocol used in Cisco devices. It was unclear at the time whether there was a malicious payload, or what kind of command-and-control communication was happening.

“There are about 670 different IP ranges that it scans for other routers. They appear to all belong to different cable modem and DSL ISPs. They are distributed somewhat worldwide),” said SANS CTO Johannes Ullrich said. “We are still working on analysis what it exactly does. But so far, it looks like all it does is spread (which is why we call it a worm “It may have a ‘call-home’ feature that will report back when it infected new hosts.”

Suggested articles