More than 300,000 wireless routers worldwide are under the control of an unknown group of cybercriminals, who have made malicious changes to the devices’ settings, allowing the attackers to misdirect computers to websites of their choice.
Ars Technica reports that the attack, which began in January 2014, affects multiple brands of router, including devices from D-Link, Micronet, Tenda among others. Routers around the world are affected, with many victims in Vietnam, but other affected in Thailand, Colombia and Italy.
Team Cymru, the specialist security company which identified the attack said that the mass attack was the “latest in a growing trend” of cybercriminals targeting SOHO (small office/home office) routers as a way to target victims without compromising PCs directly.
“The attackers are altering the DNS configuration on these devices in order to redirect victims’ DNS requests and subsequently replace the intended answers with IP addresses and domains controlled by the attackers,” the researchers write.
“The scale of this attack suggests a more traditional criminal intent, such as search result redirection, replacing advertisements, or installing drive-by downloads; all activities that need to be done on a large scale for profitability.”
IB Times reports that the attacks appear to come from two London IP addresses, and that a spokesman for Team Cymru says that so far, “We have not seen any use for this pool of victims – but it’s only a matter of time.”
Last week, research found that 80% of small office/home office routers have ‘critical’ security weaknesses, and that even IT professionals working remotely fail to use basic security tools.
Team Cymru said that cybercriminals were targeting the devices as an easier ‘way in’ than attacking computers directly. “Consumer unfamiliarity with configuring these devices, as well as frequently insecure default settings, backdoors in firmware and commodity-level engineering make SOHO-type wireless routers a very attractive target for cybercriminals”
The report comes in the wake of the discovery of a mysterious worm dubbed ‘Moon’ which is infecting models of Linksys router, as reported by We Live Security. The Internet Storm Center has issued a ‘suspected mass exploit’ warning regarding the worm.
The BBC reports that secuity failings in routers has led to repeated attacks against several models, including those made by Linksys and Asus, and said that reports in Poland suggested that one gang was using these vulnerabilities to steal cash.
Team Cymru says that “differences in tradecraft” seem to point to the fact that the new attack is conducted by a separate group – both from the creators of “Moon”, and from attacks seen in Poland which attempted to steal banking details, “The more manually intensive bank account transfers seen in Poland would be difficult to conduct against such a large and geographically-disparate victim group,” the researchers wrote.
The commercial routers used by small businesses are easy prey for such attacks. Last week, Tripwire’s security team analyzed Amazon’s 25 best-sellers and found that ‘critical’ vulnerabilities were ‘endemic’.
Of the 25 best selling machines,. Tripwire’s team found that 80% of those had security vulnerabilities, and that within that figure, 34% had publicly documented exploits that the firm claims would enable cybercriminals to “craft either highly targeted attacks or general attacks targeting every vulnerable system they can find,” according to a report by International Business Times.
ESET senior research fellow David Harley said in an interview with Infosecurity Magazine, “You could, in principle, look for some kinds of vulnerability when a router is accessed via a browser or a specialist app, but how practical that is across the whole range of router hardware is another question. You can detect code that’s intended to cause such an infection, of course, if it’s carried in a form where it can be scanned by security software on the desktop or perimeter (or even a mobile device), but if it skips from router to router it isn’t likely to be detected on the endpoint.”
Failings by IT staff worsen these risks, the report found, according to Infosecurity Magazine‘s report. A study of 653 IT and security professionals and 1,009 remote workers found that 30% of IT professionals and 46% of remote workers do not change default passwords on their routers, and that nearly half of workers polled use WPS, an insecure standard that makes it easy for criminals to ‘crack’ passwords.
Author Rob Waugh, We Live Security