Security Advisor

Hackers Target More Than 30,000 Routers in DNS Attack Campaign

Many of the compromised devices were breached using simple brute force techniques to obtain the routers' passwords.

A London-based corporation looks to be responsible for an attack that is targeted at a number of popular network routers used by small business owners and home users, according to Internet security research firm Team Cymru.

The Florida-based firm, which released a detailed report on the current attack, said the U.K. company 3NT is behind a wave of consumer and small office/home office (SOHO) router attacks in Europe and Asia that have affected over 30,000 devices.

"In January 2014, Team Cymru's Enterprise Intelligence Services began investigating a SOHO pharming campaign that had overwritten router DNS settings in central Europe," read the report.  "To date, we have identified over 300,000 devices, predominantly in Europe and Asia, which we believe have been compromised as part of this campaign, one which dates back to at least mid-December of 2013."

According to the research firm, due to the default factory settings of most low- to mid-range routers, simple password guessing through brute force attacks were used to gain access.

After the routers' DNS settings were altered through exploits that include the Cross-Site Request Forgery (CSRF) and ZyXEL firmware techniques, the compromised devices would direct traffic to malicious Web sites and domains, where multiple vulnerabilities would be loaded on a system. The two IP addresses used have been identified as originating in the Netherlands.

While the attacks have been spread over different countries in Asia and Europe, the top-targeted countries are Vietnam, Italy, Thailand, Indonesia, Colombia, Turkey, Ukraine, Bosnia and Herzegovina and Serbia.

Team Cymru said router brands being targeted include D-Link, Micronet, Tenda and TP-Link, among others. After discovering the attack, the security firm said it is currently working with the manufacturers on the situation. Further, law enforcement has been notified of the two IP addresses in question.

To mitigate the risk of attack, it is recommended that SOHO device users review all router security and settings policies. "SOHO devices should have remote user-mode administration features and GUIs disabled or, at a minimum, restricted through ACLs to only those IPs required for regular administration," read the report. "Management interfaces open to the Internet create an easily detectable and exploitable vulnerability and should be disabled immediately if found."

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

comments powered by Disqus

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.