Security Advisor

Hackers Target More Than 30,000 Routers in DNS Attack Campaign

Many of the compromised devices were breached using simple brute force techniques to obtain the routers' passwords.

A London-based corporation looks to be responsible for an attack that is targeted at a number of popular network routers used by small business owners and home users, according to Internet security research firm Team Cymru.

The Florida-based firm, which released a detailed report on the current attack, said the U.K. company 3NT is behind a wave of consumer and small office/home office (SOHO) router attacks in Europe and Asia that have affected over 30,000 devices.

"In January 2014, Team Cymru's Enterprise Intelligence Services began investigating a SOHO pharming campaign that had overwritten router DNS settings in central Europe," read the report.  "To date, we have identified over 300,000 devices, predominantly in Europe and Asia, which we believe have been compromised as part of this campaign, one which dates back to at least mid-December of 2013."

According to the research firm, due to the default factory settings of most low- to mid-range routers, simple password guessing through brute force attacks were used to gain access.

After the routers' DNS settings were altered through exploits that include the Cross-Site Request Forgery (CSRF) and ZyXEL firmware techniques, the compromised devices would direct traffic to malicious Web sites and domains, where multiple vulnerabilities would be loaded on a system. The two IP addresses used have been identified as originating in the Netherlands.

While the attacks have been spread over different countries in Asia and Europe, the top-targeted countries are Vietnam, Italy, Thailand, Indonesia, Colombia, Turkey, Ukraine, Bosnia and Herzegovina and Serbia.

Team Cymru said router brands being targeted include D-Link, Micronet, Tenda and TP-Link, among others. After discovering the attack, the security firm said it is currently working with the manufacturers on the situation. Further, law enforcement has been notified of the two IP addresses in question.

To mitigate the risk of attack, it is recommended that SOHO device users review all router security and settings policies. "SOHO devices should have remote user-mode administration features and GUIs disabled or, at a minimum, restricted through ACLs to only those IPs required for regular administration," read the report. "Management interfaces open to the Internet create an easily detectable and exploitable vulnerability and should be disabled immediately if found."

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • Office Mobile Apps To End as Microsoft Highlights New Office App

    Microsoft plans to end support for Windows 10 Mobile applications on Jan. 12, 2021, according to a Friday announcement.

  • Is Microsoft Finally Reinventing Office?

    Microsoft is testing out a new technology called "Fluid Framework." It could mean that Brien's dream of one Office app to rule them all might soon become reality.

  • Azure Active Directory Connect Preview Adds Support for Disconnected AD Forests

    Microsoft on Thursday announced a preview of a new "Cloud Provisioning" feature for the Azure Active Directory Connect service that promises to bring together scattered Active Directory "forests."

  • Microsoft Defender ATP Gets macOS Investigation Support

    The endpoint and detection response (EDR) feature in Microsoft Defender Advanced Threat Protection (ATP) has reached the "general availability" stage for macOS devices.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.