Security Advisor

Hackers Target More Than 30,000 Routers in DNS Attack Campaign

Many of the compromised devices were breached using simple brute force techniques to obtain the routers' passwords.

A London-based corporation looks to be responsible for an attack that is targeted at a number of popular network routers used by small business owners and home users, according to Internet security research firm Team Cymru.

The Florida-based firm, which released a detailed report on the current attack, said the U.K. company 3NT is behind a wave of consumer and small office/home office (SOHO) router attacks in Europe and Asia that have affected over 30,000 devices.

"In January 2014, Team Cymru's Enterprise Intelligence Services began investigating a SOHO pharming campaign that had overwritten router DNS settings in central Europe," read the report.  "To date, we have identified over 300,000 devices, predominantly in Europe and Asia, which we believe have been compromised as part of this campaign, one which dates back to at least mid-December of 2013."

According to the research firm, due to the default factory settings of most low- to mid-range routers, simple password guessing through brute force attacks were used to gain access.

After the routers' DNS settings were altered through exploits that include the Cross-Site Request Forgery (CSRF) and ZyXEL firmware techniques, the compromised devices would direct traffic to malicious Web sites and domains, where multiple vulnerabilities would be loaded on a system. The two IP addresses used have been identified as originating in the Netherlands.

While the attacks have been spread over different countries in Asia and Europe, the top-targeted countries are Vietnam, Italy, Thailand, Indonesia, Colombia, Turkey, Ukraine, Bosnia and Herzegovina and Serbia.

Team Cymru said router brands being targeted include D-Link, Micronet, Tenda and TP-Link, among others. After discovering the attack, the security firm said it is currently working with the manufacturers on the situation. Further, law enforcement has been notified of the two IP addresses in question.

To mitigate the risk of attack, it is recommended that SOHO device users review all router security and settings policies. "SOHO devices should have remote user-mode administration features and GUIs disabled or, at a minimum, restricted through ACLs to only those IPs required for regular administration," read the report. "Management interfaces open to the Internet create an easily detectable and exploitable vulnerability and should be disabled immediately if found."

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • RAMBleed Side-Channel Attack Method Disclosed by Researchers

    Academic researchers this week published information about another side-channel attack method, called "RAMBleed," that can expose information from memory chips, including encryption key information.

  • Penguin

    Windows 10 Preview Build 18917 Shows Off New Linux Integration

    Microsoft's latest Windows 10 "fast-ring" preview release is showcasing a coming Delivery Optimization enhancement, along with the ability to try the newly emerged Windows Subsystem for Linux version 2.

  • Customizing Microsoft Office 365

    While the overall look and feel of Office 365 is pretty standard across organizations, there are several ways to personalize it and make it fit better with your company's specific needs.

  • Microsoft 365 Business Tenants Getting Conditional Access and Trouble-Ticket Features

    Microsoft added its conditional access security service to Microsoft 365 Business subscriptions, according to a Wednesday announcement, and it also added new trouble-ticket features for Microsoft 365 administrators.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.