Several groups exploit the routers, hacktivists included

May 12, 2015 13:04 GMT  ·  By

Cybercriminals take advantage of tens of thousands of insecure home routers distributed by ISPs (Internet Service Providers) and manufacturers to create large botnets for distributed denial-of-service (DDoS) attack purposes.

An investigation from website security company Incapsula revealed that bad traffic targeting 60 of its clients in a 121-day period came from a number of 40,269 IP addresses belonging to 1,600 ISPs spread in 109 countries.

The botnet was formed mainly of ARM-based Ubiquiti devices, which led security researchers to the conclusion that the cybercriminals exploited a vulnerability in the firmware.

Routers compromised with minimum effort

However, this assumption was disproved upon a closer inspection, revealing that all of them could be accessed remotely on the default ports via HTTP and SSH, which basically opens the door for remote attacks.

The botnet operators did not have to make too much effort to find a way in, though, because almost all routers were protected with the default credentials from the vendor.

“This combination of faulty practices invites trouble. At the risk of overstating the obvious, this level of access lets any perpetrator easily: eavesdrop on all communication, perform man-in-the-middle (MITM) attacks (e.g., DNS poisoning), hijack cookies, gain access to local network devices (e.g., CCTV cameras),” the researchers say.

The most prevalent piece of malware discovered on the compromised devices was Mr.Black, also known as Spike, a denial-of-service bot. It was present on 86.5% of the devices.

AnonOps deploys DDoS via compromised routers

Based on the research results, it is possible that multiple individuals or groups exploit the insecurity of the devices because Incapsula found other DoS kits, such as Dofloo and Mayday, although in a much smaller percentage, 5.48% and 2.84%, respectively.

Incapsula’s efforts led to the discovery of 60 command and control (C&C) servers, a large part of them (73%) being located in China and 21% operating from the US. As far as the geolocation of the controlled routers is concerned, most of them were from Brazil (64%) and Thailand (21%).

From the analysis of the DoS samples, the security researchers have determined that one of the groups exploiting the routers to take down online targets is part of the Anonymous hacktivist movement, as the malware reported to AnonOps IRC channel.

Botnet operators are efficient in their activity and the malicious code on the compromised devices can also scan the web for other routers that can be accessed via SSH ports with default credentials.

The report from the security company also assumes that the botnet was also exploited by the members of Lizard Squad for their DDoS service, Lizard Stresser, a conclusion that has been presented before.

Incapsula informed Ubiquiti and the relevant ISPs about the insecurity of the routers they distribute, but users should also consider disabling remote access to the devices and change the default login credentials in order to prevent unauthorized access.

DoS sample contacts AnonOps IRC server
DoS sample contacts AnonOps IRC server

Photo Gallery (2 Images)

Countries most of the bad traffic originates from
DoS sample contacts AnonOps IRC server
Open gallery