Security Advisor

Hackers Target More Than 30,000 Routers in DNS Attack Campaign

Many of the compromised devices were breached using simple brute force techniques to obtain the routers' passwords.

A London-based corporation looks to be responsible for an attack that is targeted at a number of popular network routers used by small business owners and home users, according to Internet security research firm Team Cymru.

The Florida-based firm, which released a detailed report on the current attack, said the U.K. company 3NT is behind a wave of consumer and small office/home office (SOHO) router attacks in Europe and Asia that have affected over 30,000 devices.

"In January 2014, Team Cymru's Enterprise Intelligence Services began investigating a SOHO pharming campaign that had overwritten router DNS settings in central Europe," read the report.  "To date, we have identified over 300,000 devices, predominantly in Europe and Asia, which we believe have been compromised as part of this campaign, one which dates back to at least mid-December of 2013."

According to the research firm, due to the default factory settings of most low- to mid-range routers, simple password guessing through brute force attacks were used to gain access.

After the routers' DNS settings were altered through exploits that include the Cross-Site Request Forgery (CSRF) and ZyXEL firmware techniques, the compromised devices would direct traffic to malicious Web sites and domains, where multiple vulnerabilities would be loaded on a system. The two IP addresses used have been identified as originating in the Netherlands.

While the attacks have been spread over different countries in Asia and Europe, the top-targeted countries are Vietnam, Italy, Thailand, Indonesia, Colombia, Turkey, Ukraine, Bosnia and Herzegovina and Serbia.

Team Cymru said router brands being targeted include D-Link, Micronet, Tenda and TP-Link, among others. After discovering the attack, the security firm said it is currently working with the manufacturers on the situation. Further, law enforcement has been notified of the two IP addresses in question.

To mitigate the risk of attack, it is recommended that SOHO device users review all router security and settings policies. "SOHO devices should have remote user-mode administration features and GUIs disabled or, at a minimum, restricted through ACLs to only those IPs required for regular administration," read the report. "Management interfaces open to the Internet create an easily detectable and exploitable vulnerability and should be disabled immediately if found."

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • What Money in Excel Means for the Future of Microsoft 365 Apps

    Microsoft's new personal finance tool hints at what's in store for next-generation Office applications, from more third-party integrations to subscription requirements.

  • Microsoft Buys Orions Systems To Enhance Vision AI Capabilities in Dynamics 365

    Microsoft announced on Tuesday that it has acquired Orions Systems with the aim of enhancing Dynamics 365 capabilities, as well as the Microsoft Power Platform.

  • Microsoft Hires Movial To Build Android OS for Microsoft Devices

    Microsoft has hired the Romanian operations of software engineering and design services company Movial to develop an Android-based operating system solution for the Microsoft Devices business segment.

  • Microsoft Ending Workflows for SharePoint 2010 Online Next Month

    Microsoft on Monday gave notice that it will be ending support this year for the "workflows" component of SharePoint 2010 Online, as well as deprecating that component for SharePoint 2013 Online.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.