Sign up to our newsletter
Households and small businesses that use consumer-grade internet routers may fall victim to attacks that are currently targeting mainly Brazilian users, but may be easily localized to any other country.
These attacks have been around since 2012, but the risks they carry are rising sharply as the number of devices connected via routers to the internet skyrockets (according to Cisco there will be 3.4 devices per capita connected to IP networks by 2020). Therefore, we are closely monitoring these attacks in order to keep pace with recent developments in the attackers’ techniques.
It seems likely that there are different groups conducting these attacks as both the methodology and the scripts used vary. The basics, however, remain the same: they leverage either open access to routers due to weak authentication (mostly default username/password combination) or vulnerabilities in their firmware.
The main objectives of these attacks are to change the DNS configuration, allow remote management of the router by accessing it with its public IP, and to set a predefined password – often the router’s default password – for potential easy access for the perpetrators at a later time.
The attacks we’ve observed were the result of redirection from a malicious page or advertising network to the perpetrators’ landing page hosting a malicious script.
The script then tries predefined username:password combinations at default local addresses for particular router types along with the desired commands to execute.
The affected users are mostly running Firefox, Chrome or Opera browsers. Internet Explorer seems to be safe mainly due to the fact that it does not support the username:password@server notation (https://support.microsoft.com/en-us/kb/834489).
One of the simplest scripts and clearest type of attacks is this where the <style> attribute is used for Cross-Site Request Forgery (CSRF). In one particular case we examined, the attack targeted a particular modem by a Brazilian provider that comes with the default credentials of “admin:gvt12345”:
And the resulting communication:
Another malicious actor seems to access the router using its external IP address …
… where the files in question contain the router instructions followed with a “refresh” to the next page. The router’s external IP is visible in the pages below:
Another type of attack is not shy of IPv6 and is using iframes. This innovative means of obfuscation is probably meant to confuse the casual onlooker; it might also evade network intrusion detection systems.
And the resulting traffic from Chrome:
Other actors are hiding their script using AngularJS – a standalone java script framework. They use some stock plugins for cryptography and to display a fake page. They have written a custom plugin that takes care of downloading a config file based on the assumed router, key exchange, decrypting of the config and its execution.
The main angularJS entry:
The communication – “GET /api/lockLinkss” is the request for the config file:
Part of a decoded config:
Use case: Phishing
Since the beginning of September, the daily average of unique clients reporting attacks of the described types reached 1,800, with the majority of them coming from Brazil. A large portion of the DNS addresses we found were working. However, some were not working at all, or a default server welcome web page was displayed. While it is difficult to find the exact web pages these actors are trying to hijack and use for phishing purposes – most of the pages will work normally – we have managed to find some irregularities.
With the DNS set to the IP’s below, these web pages were proven hijacked:
Screenshot of genuine banco.bradesco taken on 2016-08-31:
Another phishing site resembles its legitimate counterpart quite successfully. Note the IP 18.104.22.168 is the legitimate IP of the bank. The real site “www.banco.bradesco.com.br” redirects to “banco.bradesco” that also belongs to the bank, but the IP 22.214.171.124 belongs instead to the phisher:
All of the mentioned attacks, regardless of whether they are used immediately for phishing or are intended as preparation for some later use, have a common denominator: default or even non-existent passwords. On top of that, there are numerous vulnerable types of routers on the market (good sources documenting vulnerabilities in routers are http://routersecurity.org/bugs.php or – for more experienced readers – https://www.exploit-db.com). Taking advantage of these circumstances, the most commonly misused function in the investigated routers was the possibility to change the DNS.
The security of routers is growing in importance, and phishing is not the only reason. With access granted to the router, attackers can log in and check the network for other connected devices. From Smart TVs to home control systems and smart fridges, there is a myriad of “Internet of Things” users connected to the web via their (often unsecured) routers.
Moreover, all these IoT devices might be just as vulnerable due to default or weak username:password combinations that are never changed by the user, as well as vulnerabilities such as those found in ESET’s router tests. This puts them in the crosshairs of the cybercriminals, as they might be abused and misused for malicious acts.
This has been showcased in the recent attacks by Mirai malware that pulled together a botnet of “smart devices” with low security thresholds and used them for historically large DDoS attacks.
To stay safe from these attacks, internet users should:
Research and article contributors: Bešina Ivan, Fránik Milan, Janko Ladislav
Author ESET Research, ESET