A group of attackers managed to compromise 300,000 home and small-office wireless routers, altering their settings to use rogue DNS servers, according to Internet security research organization Team Cymru.
In January, Team Cymru's researchers identified two TP-Link wireless routers whose settings were altered to send DNS (Domain Name System) requests to two particular IP addresses: 18.104.22.168 and 22.214.171.124. An analysis of the rogue DNS servers running at those IP addresses revealed a mass-scale compromise of consumer networking devices.
Over a one-week period, more than 300,000 unique IP addresses sent DNS requests to the two servers, the Team Cymru researchers said in a report released Monday. Many of those IP addresses corresponded to a range of routers, including models from D-Link, Micronet, Tenda, TP-Link and other manufacturers, that had their DNS settings maliciously altered, they said.
The researchers believe those devices were compromised using different techniques that exploit several known vulnerabilities. Many of the affected devices had their administrative interfaces accessible from the Internet, making them susceptible to brute-force password-guessing attacks or unauthorized access using default credentials, if their owners didn't change them, the researchers said.
A considerable number of devices also appeared to be vulnerable to a security flaw reported in January in ZynOS, a router firmware created by ZyXEL Communications that's also used on router models from other manufacturers. That vulnerability allows attackers to remotely download a file containing the configuration of vulnerable routers without authentication and parse it to extract the password for the router's administrative interface.
According to the Team Cymru researchers, it's also likely that attackers used cross-site request forgery (CSRF) to exploit vulnerabilities in TP-Link routers that have been known since last year.
CSRF attacks involve placing malicious code on a website to force visitors' browsers to send specially crafted requests to a third-party URL. If the users are authenticated on the third-party site and the site has no CSRF protection, the malicious requests can abuse the users' access on that site to perform unauthorized actions. This type of attack is also known as session riding.
Attackers can use CSRF techniques to attack routers when their administration interfaces are only accessible from the local area network by proxying requests through their owners' browsers and leveraging their authenticated sessions.
The Team Cymru researchers noted two vulnerabilities reported in various TP-Link router models last year that are known to have been targeted through CSRF attacks. One allows attackers to replace the administrator password with a blank one and the other allows changing the router's DNS settings, even if the rogue request contains bogus credentials.
The first vulnerability was tested successfully against a TP-Link TD-8840T router running firmware version 3.0.0 build 120531 that was one of the first victim devices identified in the attack campaign, the researchers said. The second vulnerability reportedly affects TP-Link WR1043ND, TL-MR3020 and TL-WDR3600 running various firmware versions, but other models might also be affected.
TP-Link has released firmware patches for some of the affected models, but users rarely update their home routers and other networking devices.
The mass compromise identified by Team Cymru bears some resemblance to another attack campaign reported in early February that altered the DNS settings of home routers in Poland to intercept online banking sessions. That attack is also believed to have exploited the ZynOS vulnerability, but Team Cymru believes it's separate from the larger attack campaign they identified.
In the Polish attack, hackers used different rogue DNS servers, targeted a small pool of users in a more concentrated geographic area and specifically focused on intercepting connections to Polish banking sites.
"In contrast, the attackers setting devices to the IPs 126.96.36.199 and 188.8.131.52 had compromised a very large pool of devices, and controlled large blocks of devices within specific ISPs, where the homogeneity of SOHO [small office/home office] router models, configurations and firmware versions likely allowed the attack to scale easily," the Team Cymru researchers said.
The majority of routers compromised in the attack campaign identified by Team Cymru were located in Vietnam (around 160,000 IP addresses), but overall the campaign had a global distribution. Aside from Vietnam, the top 10 countries by victim count were India, Italy, Thailand, Colombia, Bosnia and Herzegovina, Turkey, Ukraine, Serbia and Ecuador. The U.S. was 11th.
"The scale of this attack suggests a more traditional criminal intent, such as search result redirection, replacing advertisements, or installing drive-by downloads; all activities that need to be done on a large scale for profitability," the researchers said. "The more manually intensive bank account transfers seen in Poland would be difficult to conduct against such a large and geographically-disparate victim group."
The researchers also observed that the two DNS servers used by the attackers responded intermittently to requests, meaning that victims likely experienced Internet connection issues. DNS is a critical service that's used to translate domain names into numerical IP addresses. Without this functionality a computer would not be able to access any website using its domain name.
By controlling DNS resolution attackers can transparently redirect users to servers under their control when those users try to access legitimate websites and this enables a variety of attacks from traffic snooping to hijacking search queries and injecting exploits, advertisements, and other rogue content into traffic.
This newly reported mass compromise is the latest in a series of large-scale attacks against home routers that have been uncovered recently. Aside from the online banking attacks in Poland, security researchers also discovered a worm infecting Linksys routers. Recent vulnerabilities in ASUS routers also left thousands of USB-attached hard drives exposed to remote access from the Internet.
"Our research indicates that threats to routers will continue to increase as malicious actors recognize how much information can be gained by attacking these devices," said Craig Young, a security researcher at Tripwire, via email.
Tripwire's research team found security vulnerabilities in 80 percent of the top 25 best-selling SOHO wireless router models available on Amazon.com, according to Young.
"Of these vulnerable models, 34 percent have publicly documented exploits that make it relatively simple for attackers to craft either highly targeted attacks or general attacks targeting every vulnerable system they can find," the researcher said.
Both Young and the Team Cymru researchers advise users to disable remote management over the Internet on their routers and to keep their firmware up to date. If remote administration is absolutely necessary, steps should be taken to restrict remote access to only particular IP addresses. Other recommendations include: changing the default passwords, not using the default IP address ranges for a LAN, logging out every time after accessing the router interface, checking the router's DNS settings frequently to ensure they haven't been modified, and using SSL (Secure Sockets Layer) to access the router's Web interface if the option is available.