Compromised Routers Used for Variety of Badness

Concern over the security of home routers is nothing new, but has soared with the increasing fear that the Internet of Things (IoT) can (and already has) been used to generate huge distributed denial of service (DDoS) attacks. The problem is that many home routers are known to include vulnerabilities, while home users are not known for their ability to behave securely.

Over the last few months Fortinet has been watching the signatures that indicate an attack against three particular home computers: Netcore/Netis, DLink, and Asus — all of which have known vulnerabilities. The targeted Asus vulnerability was disclosed in July 2015, but attacks against it did not seriously materialize until June 2016. Since then attacks have steadily increased. “Over the past 30 days, Fortinet has collected 9 million hits from this signature,” writes Bing Liu in a blog post.

The Netcore/Netis device has a vulnerability found in 2014, but publicly disclosed early in 2016. In July 2016, this vulnerability was included in a number of vulnerability scanners in common use. There were two immediate spikes in attack signature detections “at the end of July, just after the signature was released. And over the past three months, this has consistently been the top triggered signature.” In fact, Fortinet has collected 1.75 billion hits from the signature in just the past 30 days.

The DLink vulnerability was discovered in 2013; but again it was not until July 2016 that Fortinet began to see an increase in attacks against the vulnerability. “Over the past 30 days,” writes Liu, “Fortinet has collected two million hits from this signature.”

In all three cases, by far the majority of attacks were detected in Taiwan and the US.

In most cases these are home routers. The manufacturers also offer routers for small and mid-sized companies; but in general the same vulnerabilities affect multiple versions of the software installed across all models.

Fortinet suggested to SecurityWeek that the routers are being attacked for two primary reasons. The first it calls ‘land and expand’: “basically use the flaw as an entry point to infect other devices attached to the network with malware (laptops, mobile devices, home automation).” Additionally, it added, “Infected routers and home systems can become part of a botnet used to further spread malware, spam or execute Distributed-Denial-of-Service (DDoS) attacks like the one that recently hit KrebsOnSecurity.”

KrebsOnSecurity has also commented further on the router issue. In a recent blog post, Brian Krebs describes a honeypot that caught traffic seeking to compromise Asus and Linksys routers running default credentials (that is, not specifically trying to exploit a known vulnerability). Further investigation suggests “that all of the systems were being used for a variety of badness, from proxying Web traffic destined for cybercrime forums to testing stolen credit cards at merchant Web sites. Further study of the malware files and the traffic beacons emanating from the honeypot systems indicated his honeypots were being marketed on a Web-based criminal service that sells access to SOCKS proxies in exchange for Bitcoin.”

For the moment, the home router threat would appear to be more potential than actual. The attack signatures detected by Fortinet are attacks against routers rather than indicators of actual compromise. Similarly the Krebs account describes what malware caught in a honeypot is intended to do, if it succeeds in infecting the routers. In the latter case the attacks were against factory default credentials, so provided users change those settings, the attacks would fail.

There is in fact, little evidence of the extent of actual compromises. F-Secure operates a home Router Checker. It is currently analyzing metrics from those checks, but gaveSecurityWeek a brief preview.

“The basic finding is this,” F-Secure’s Sean Sullivan told SecurityWeek: “a small percentage (a percentage of one percent) of our customers have discovered DNS issues. Our Router Checker is focused on DNS – and that appears to be fully focused on ad-fraud. The altered DNS is typically used to redirect Google Analytics towards ad schemes that benefit the hacker.”

For now, F-Secure is finding little evidence of mass home router infections — although the potential remains. “It’s quite possible,” he added, “that those who have had their DNS settings altered may also have devices behind those routers that are exposed, and have been hacked, but our checker isn’t made for that and so we don’t have ‘hacked IoT’ devices visibility at the moment.”

view counter

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Previous Columns by Kevin Townsend:

Tags: