300,000 routers compromised in DNS hijacking campaign

Some 300,000 confirmed – but most likely many more – small office/home office (SOHO) routers have been compromised and their DNS settings changed to use two IP addresses in London, effectively allowing yet unknown attackers to perform Man-in-the-Middle attacks.

“To date, we have identified over 300,000 devices, predominantly in Europe and Asia, which we believe have been compromised as part of this campaign, one which dates back to at least mid-December of 2013,” reported Team Cymru researchers, who spotted several affected TP-Link Wi-Fi routers in January and began investigating the matter.

“The routers were both small office/home office (SOHO) class devices that provided Wi-Fi connectivity, local DNS, and DHCP services to customers, and were not using default passwords,” they pointed out.

But some of them were running a firmware version vulnerable to Cross-Site Request Forgery attacks, and at least one run firmware sporting a recently discovered flaw that allows attackers to download the device’s configuration file which, of course, contains administrative credentials.

The affected routers come from different manufacturers – the aforementioned TP-Link, D-Link, Micronet, and others – and they are predominantly located in Vietnam, India, Italy, Thailand, and Colombia, but also in Serbia, Ukraine, and Bosnia and Herzegovina.

The interesting thing about this campaign is that it seems that currently the DNS requests sent to those two IP addresses are forwarded on to legitimate servers.

“Attempts to log into local banking websites in affected countries, and to download software updates from Adobe and others all appeared to function normally, though many requests resolved noticeably slowly or failed to complete. Websites we tested also appeared to display normal advertising using these DNS servers,” the researchers noted. So either this mass compromised is a preparation for later mischief, or the damage has already been done.

Team Cymru researchers have noticed some similarities between this campaign and one other that was mostly limited to targeting customers of several Polish banks, but they concluded that “subtle differences in the tradecraft employed makes it likely that [they] are observing either separate campaigns by the same group, or multiple actors utilizing the same technique for different purposes.”

They also added that they don’t believe that the also recently discovered Moon worm campaign targeting Linksys routers is mounted by the same attackers.

The researchers have notified the authorities about this campaign, and also the manufacturers of the affected devices.

Team Cymru spokesman Steve Santorelli shared with PC Pro that the two IP addresses to which the DNS requests are redirected are located on machines in the Netherlands, but are registered with UK-based company 3NT Solutions. This company’s IP ranges have previously and repeatedly been associated with spammy sites.

The researchers have shared helpful techniques for mitigating this type of attack in a whitepaper.

“As the bar is increasingly raised for compromising endpoint workstations, cyber criminals are turning to new methods to achieve their desired goals, without gaining access to victims’ machines directly. The campaign detailed in this report is the latest in a growing trend Team Cymru has observed of cyber criminals targeting SOHO routers,” they noted.

Is it any wonder that the criminals are going after these devices, given that they are notoriously full of exploitable security holes, and users are lax when it comes to changing the default administrator password?