Security Advisor

Hackers Target More Than 30,000 Routers in DNS Attack Campaign

Many of the compromised devices were breached using simple brute force techniques to obtain the routers' passwords.

A London-based corporation looks to be responsible for an attack that is targeted at a number of popular network routers used by small business owners and home users, according to Internet security research firm Team Cymru.

The Florida-based firm, which released a detailed report on the current attack, said the U.K. company 3NT is behind a wave of consumer and small office/home office (SOHO) router attacks in Europe and Asia that have affected over 30,000 devices.

"In January 2014, Team Cymru's Enterprise Intelligence Services began investigating a SOHO pharming campaign that had overwritten router DNS settings in central Europe," read the report.  "To date, we have identified over 300,000 devices, predominantly in Europe and Asia, which we believe have been compromised as part of this campaign, one which dates back to at least mid-December of 2013."

According to the research firm, due to the default factory settings of most low- to mid-range routers, simple password guessing through brute force attacks were used to gain access.

After the routers' DNS settings were altered through exploits that include the Cross-Site Request Forgery (CSRF) and ZyXEL firmware techniques, the compromised devices would direct traffic to malicious Web sites and domains, where multiple vulnerabilities would be loaded on a system. The two IP addresses used have been identified as originating in the Netherlands.

While the attacks have been spread over different countries in Asia and Europe, the top-targeted countries are Vietnam, Italy, Thailand, Indonesia, Colombia, Turkey, Ukraine, Bosnia and Herzegovina and Serbia.

Team Cymru said router brands being targeted include D-Link, Micronet, Tenda and TP-Link, among others. After discovering the attack, the security firm said it is currently working with the manufacturers on the situation. Further, law enforcement has been notified of the two IP addresses in question.

To mitigate the risk of attack, it is recommended that SOHO device users review all router security and settings policies. "SOHO devices should have remote user-mode administration features and GUIs disabled or, at a minimum, restricted through ACLs to only those IPs required for regular administration," read the report. "Management interfaces open to the Internet create an easily detectable and exploitable vulnerability and should be disabled immediately if found."

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • Basic Authentication Extended to 2H 2021 for Exchange Online Users

    Microsoft is now planning to disable Basic Authentication use with its Exchange Online service sometime in the "second half of 2021," according to a Friday announcement.

  • Microsoft Offers Endpoint Configuration Manager Advice for Keeping Remote Clients Patched

    Microsoft this week offered advice for organizations using Microsoft Endpoint Configuration Manager with remote Windows systems that need to get patched, and it also announced Update 2002.

  • Azure Edge Zones Hit Preview

    Azure Edge Zones, a new edge computing technology from Microsoft designed to enable new scenarios for developers and partners, emerged as a preview release this week.

  • Microsoft Shifts 2020 Events To Be Online Only

    Microsoft is shifting its big events this year to be online only, including Ignite 2020.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.