Most small-office routers have ‘critical’ vulnerabilities as mysterious ‘Moon’ worm spreads

A large majority of routers used in small offices are plagued with security vulnerabilities – with up to 80% of small office/home office models having critical security weaknesses, according to a survey by Tripwire. Tripwire’s research also found that many IT professionals working remotely do not use basic security controls.

The report comes in the wake of the discovery of a mysterious worm dubbed ‘Moon’ which is infecting models of Linksys router, as reported by We Live Security. The Internet Storm Center has issued a ‘suspected mass exploit’ warning regarding the worm.

The commercial routers used by small businesses are easy prey for such attacks – Tripwire’s security team analyzed Amazon’s 25 best-sellers and found that ‘critical’ vulnerabilities were ‘endemic’.

Of the 25 best selling machines,. Tripwire’s team found that 80% of those had security vulnerabilities, and that within that figure, 34% had publicly documented exploits that the firm claims would enable cybercriminals to “craft either highly targeted attacks or general attacks targeting every vulnerable system they can find,” according to a report in International Business Times.

ESET senior research fellow David Harley said in an interview with Infosecurity Magazine, “You could, in principle, look for some kinds of vulnerability when a router is accessed via a browser or a specialist app, but how practical that is across the whole range of router hardware is another question. You can detect code that’s intended to cause such an infection, of course, if it’s carried in a form where it can be scanned by security software on the desktop or perimeter (or even a mobile device), but if it skips from router to router like Moon it isn’t likely to be detected on the endpoint.”

Failings by IT staff worsen these risks, the report found, according to Infosecurity Magazine‘s report. A study of 653 IT and security professionals and 1,009 remote workers found that 30% of IT professionals and 46% of remote workers do not change default passwords on their routers, and that nearly half of workers polled use WPS, an insecure standard that makes it easy for criminals to ‘crack’ passwords.

More than half of both IT professionals and remote workers did not update the firmware on their routers – leaving them unprotected from known threats.

“Routers are an ideal target for cyberattackers because they can be used to eavesdrop on traffic sent to and from nearby enterprise access points. After an attacker has gained control of a router, they are able to monitor, redirect, block or otherwise tamper with a wide range of online activities,” the firm said in a statement.

The BBC reports that secuity failings in routers has led to repeated attacks against several models, including those made by Linksys and Asus, and said that reports in Poland suggested that one gang was using these vulnerabilities to steal cash.

The Internet Storm Center’s Johannes B Ulrich said, “At this point, we are aware of a worm that is spreading among various models of Linksys routers. We call this a “worm” at this point, as all it appears to do is spread.     We do not know for sure if there is a command and control channel yet. But the worm appears to include strings that point to a command and control channel. The worm also includes basic HTML pages with images that look benign and more like a calling card. They include images based on the movie “The Moon” which we used as a name for the worm.”

“The recent discovery of  ‘The Moon’ worm currently infecting exposed Linksys routers indicates that threats to routers will continue to increase as malicious actors recognize how much information can be gained by attacking these devices,” said Craig Young, security researcher for Tripwire.  “Unfortunately, users don’t change the default administrator passwords or the default IPs in these devices and this behaviour, along with the prevalence of authentication bypass vulnerabilities, opens the door for widespread attacks through malicious web sites, browser plugins, and smartphone applications.”

Author , We Live Security

Follow us

Copyright © 2017 ESET, All Rights Reserved.