Bad Security Lets Attackers Hijack 300K SOHO Nets

Heat map shows distribution of 300,000+ hijacked SOHO routers
Heat map shows distribution of 300,000+ hijacked SOHO routers.

Servers at two IP addresses in London have hijacked more than 300,000 home routers worldwide in an attack that demonstrates the vulnerability of routers designed for consumers.

The attack has nothing to do with TheMoon worm that recently assaulted some Linksys routers, and is separate from a recently discovered large-scale attack on home routers in Poland, according to security firm Team Cymru, which discovered the attacks.

The exploit takes advantage of weak security in most routers designed for small office/home office (SOHO) networks, not those of a single vendor or running a single family of firmware, according to the Team Cymru report.

A series of high-profile tests and analyses from several security analyst firms during 2011, 2012 and 2013 have shown most home or SOHO routers are vulnerable to authentication bypasses, cross-site request forgeries (CSRF), and a host of other easily blocked attacks, even when their security isn’t compromised by configuration errors made by the non-technical consumers responsible for them.

In this case, the attackers were able to get administrative access to the configuration of hundreds of thousands of routers, and were able to change their Domain Name Server (DNS) settings to point at a DNS server of the attacker’s choosing, rather than those set by the router owners or their ISPs. So far, however, it’s not clear what the attackers are after, or what they’re doing with a captive network of routers that direct their DNS requests to one of two IP addresses registered to London-based 3NT Solutions.

“What we’ve seen so far is a little mysterious,” Team Cymru researcher Steve Santorelli told The Verge. “300,000 machines going to different DNS servers,” but no obvious exploitation of those routers to defraud their owners or to power other attacks.

In most similar attacks, which Team Cymru refers to as “SOHO Pharming,” malware downloaded by a PC on the network carries out the actual attack, usually Javascript running from a malicious Website, according to the Team Cymru report (diagram). The Javascript runs on a machine that has already authenticated to the network, and uses it to change the DNS settings of the router. Once the DNS settings are changed, the router sends all the traffic of all devices on the network to a malicious DNS site of the attacker’s choosing.

In this case, most of the compromised systems are concentrated in Europe, parts of the Middle East and South Asia. Geography being irrelevant, however, the attack could affect systems anywhere. A similar attack, discovered in late 2013 in Poland, hijacked the DNS settings of home routers and used that control to redirect traffic to sites where the attackers could intercept user names and passwords to banks and other financial institutions, according to a blog from CERT Polska, Poland’s Computer Emergency Response Team.

Attackers avoid SSL encryption on login pages by stripping from the headers requests that those pages be protected by SSL, according to the post.

So far, there is no sign attackers in London are using similar spoofs or man-in-the-middle attacks, according to Team Cymru’s white paper SOHO Pharming.

Finding a large-scale attack in progress so soon after flaps over TheMoon virus and the DNS hijacking attacks in Poland makes it clear that SOHO-router attacks have advanced from a long-discussed weakness that was rarely exploited into a major attraction for attacks on consumers. “Consumer unfamiliarity with configuring these devices, as well as frequently insecure default settings, backdoors in firmware and commodity-level engineering standard make SOHO-type wireless routers a very attractive target for cyber criminals,” according to the Team Cymru report.

Networks of compromised routers aren’t botnets in the classical sense in that they are not made of of PCs, servers, or other systems an attacker could easily use to launch DDOS or other attacks using thousands of zombie machines that conceal the identity and location of the attacker. They do give attackers an easy window through which to eavesdrop on everything that happens inside home or small-office networks, including an easy way to access with malware or direct attacks all the computers connected to the compromised routers.

The inability to identify a specific criminal purpose for the most recently discovered attack doesn’t make it any less serious, according to Santorelli.

And it doesn’t get the networking vendors who built those routers and their weak security off the hook by blaming consumers for security problems.

“This is a logical evolution from traditional botnet technology, and one that now requires the vendors to fix, immediately.” Santorelli said.

Image: Team Cymru

Related