Default Credentials Lead to Massive DDoS-For-Hire Botnet

Tens of thousands of home and office-based routers have been hijacked over the last several months to stage a distributed denial of service attack campaign.

Tens of thousands of home and office-based routers have been hijacked over the last several months to form a botnet used to stage a DDoS campaign.

The attacks first surfaced at the tail end of last year, around Dec. 29, and after a short reprieve, spiked twofold over the last month. The web security firm Incapsula was already researching the attacks after some of its customers had reported getting DDoS’d but it was April’s massive jump in figures that prompted researchers to dig deeper.

Incapsula discovered a botnet, still largely active, that primarily consists of routers manufactured by the California-based networking company Ubiquiti Networks. While the firm initially assumed the routers suffered from a shared firmware flaw, researchers were able to determine that all units are remotely accessible via HTTP and SSH on their default ports, and could also be accessed via vendor-provided default login credentials. This opens the routers up to eavesdropping, man-in-the-middle attacks, cookie hijack, and gives attackers the ability to gain access to other local network devices.

The botnet scans for other routers that may have been misconfigured and executes shell scripts to access their SSH ports via default credentials.

“For perpetrators, this is like shooting fish in a barrel, which makes each of the scans that much more effective,” the firm said in a report released Tuesday, “Using this botnet also enables perpetrators to execute distributed scans, improving their chances against commonplace blacklisting, rate-limiting and reputation-based defense mechanisms.”

In total the firm detected 40,269 IPs belonging to 1600 ISPs across 109 countries, including the U.S. and India, yet the lion’s share of compromised routers, 85 percent, can be traced back to Thailand and Brazil.

Each compromised router was infected with strains of malware used for DDoS attacks, including on average four variants of MrBlack, along with Dofloo, and Mayday. Some of the variants were even spotted reporting to the AnonOps IRC channel, something that suggests to Incapsula that at some point the hacktivist group Anonymous may have had a role in exploiting the devices.

For what it’s worth Incapsula suggests that Lizard Squad, the hacking group which gained notoriety around Christmas last year for taking down both the Xbox Live and Playstation Network, may also have a hand in the botnet – or if not the same one, a very similar botnet. Lizard Squad’s botnet, which surfaced around the same time, was injected with similar code and searched for similar vulnerable routers to fortify its campaign, but apparently used different malware (Lizard Squad, Linux.Back-Door.Fgt.1) to carry out its attacks.

Yet last month, when Lizard Squad boasted it had acquired a more powerful botnet, it also happened to coincide with the influx of DDoS attacks that Incapsula was monitoring.

Incapsula insists that “none of these circumstantial correlations offer any hard evidence of the groups’ involvement,” but it is continuing to entertain a connection, tenuous or not.

The firm, which contacted Ubiquiti about its router miscongurations prior to disclosure, is still encouraging router owners to verify that their devices aren’t protected by default credentials and to ensure they’ve updated to the most recent router firmware.

Suggested articles