Small office and home office (SOHO) routers are an increasingly common target for cybercriminals, not because of any vulnerability, but because most routers are loosely managed and often deployed with default administrator credentials.
A new report suggests that hackers are using large botnet of tens of thousands of insecure home and office-based routers to launch Distributed Denial-of-Service (DDoS) attacks.
Security researchers from DDoS protection firm Incapsula uncovered a router-based botnet, still largely active while investigating a series of DDoS attacks against its customers that have been underway since at least last December, 2014.
Over the past four months, researchers have recorded malicious traffic targeting 60 of its clients came from some 40,269 IP addresses belonging to 1,600 ISPs around the world.
Almost all of the infected routers that were part of the botnet appear to be ARM-based models from a California-based networking company Ubiquiti Networks, sold across the world.
This makes researchers believed that the cyber criminals were exploiting a firmware vulnerability in the routers.
What’s revealed in the close inspection?
However, this assumption was proved wrong when inspected deeply, revealing that…
- All of the compromised routers could be remotely accessible on the default ports (via HTTP and SSH)
- Almost all of those accounts continued to make use of vendor-provided login credentials
This basically opens the door for an attacker to man-in-the-middle (MitM) attacks, eavesdrop on all communication, cookie hijack, and allows hackers to gain access to other local network devices such as CCTV cameras.
Router makers design their devices in such a way that it can be easily connected, and therefore they give each user the same administrator credential, without giving any warning to change the default credentials. Moreover, instead of allowing users to turn on remote administration, the manufacturers make it on by default.
"Given how easy it is to hijack these devices, we expect to see them being exploited by additional perpetrators," researchers wrote. "Even as we conducted our research, the Incapsula security team documented numerous new malware types being added—each compounding the threat posed by the existence of these botnet devices."
A variety of DDoS malware involvement:
The security firm also discovered a variety of DDoS malware programs, including MrBlack, Dofloo, and Mayday, installed on the insecure devices in order to attempt other malicious tasks such as:
- Redirect victims to malicious websites
- Intercept victims’ online banking sessions
- Inject rogue and malicious advertisements into the victim's Web traffic
- Steal login credentials for various online accounts
- Perform other illegal activities
The question remains — Who is behind this botnet?
Researchers found some indirect evidence correlating the router-based botnet to a notorious hackers group called Lizard Squad, a group that has used compromised routers to launch DDoS attacks against Sony's PlayStation and Microsoft's Xbox networks.
Back in January, Lizard Squad set up a DDoS-for-hire service called Lizard Stresser that was using hacked home routers. However, Incapsula believes that it’s not Lizard Stresser because it is powered by different malware programs.
The botnet comprises devices in 109 countries, with Thailand (64 percent), Brazil, and the United States being the top three most-affected nations. Also, the firm identified 60 command and control servers used by criminals to control the botnet, the majority of them were located in China and the U.S.
The bottom line:
Users should also keep in mind the safety of their devices by making sure that they:
- Disable all remote access to the devices unless it's specifically needed
- Change the default login credentials for their routers to prevent unauthorized access
- Router firmware is up-to-date