It’s finally happened: Hackers are coming for home routers en masse • The Register

http://www.theregister.co.uk/2016/10/19/home_router_insecurity/

It is not just IoT devices that are hacked en masse. Home routers are hit also with their flaws.

17 Comments

  1. Tomi Engdahl says:

    Low-Bandwidth “BlackNurse” DDoS Attacks Can Disrupt Firewalls
    http://www.securityweek.com/low-bandwidth-blacknurse-ddos-attacks-can-disrupt-firewalls

    Some attacks based on the Internet Control Message Protocol (ICMP) can cause serious disruptions even over low

    bandwidths.
    ICMP attacks, also known as ping flood attacks, are highly common, but they typically rely on Type 8 Code 0 packets.
    The attacks, dubbed by the company “BlackNurse,” can be highly effective even at bandwidths as low as 15-18 Mbps and

    they can cause disruptions to firewalls even if the victim has an Internet connection of 1 Gbps.
    “The impact we see on different firewalls is typically high CPU loads. When an attack is ongoing, users from the LAN

    side will no longer be able to send /receive traffic to/from the Internet. All firewalls we have seen recover when

    the attack stops,” TDC explained in a report detailing BlackNurse attacks.
    A scan of the Danish IP address space revealed that there were over 1.7 million devices responding to ICMP pings,

    which means these attacks can have a significant impact.
    Researchers have so far confirmed that BlackNurse attacks work against Cisco ASA and SonicWall firewalls, but they

    likely also affect products from Palo Alto Networks and other vendors. The Iptables firewall utility for Linux,

    MikroTik products and OpenBSD are not affected.
    Detection rules and proof-of-concept (PoC) code have been made available to allow users to identify attacks and test

    their equipment.
    http://soc.tdc.dk/blacknurse/blacknurse.pdf

    Reply
  2. Tomi Engdahl says:

    ‘Likely Hacker Attack’ Hits Almost 1 Million German Homes
    http://www.securityweek.com/likely-hacker-attack-hits-almost-1-million-german-homes

    Internet service for almost one million households in Germany was disrupted by likely deliberate hacking, provider Deutsche Telekom said Monday.

    Around 900,000 customers using specific models of router have been affected since Sunday afternoon, the firm said, with some unable to connect at all while others suffered intermittent problems.

    “We believe that influence was exerted on the routers from outside,” a Telekom spokesman told AFP, saying software had been installed on the devices that prevented them from connecting to the company’s network.

    It did not provide details of which models of router — network hardware that connects households to their internet and telephone service provider — were affected.

    Deutsche Telekom said that its engineers and colleagues from the companies that produce the devices had been working through the night to find a solution.

    Customers affected have been advised to disconnect their routers from the network since the problems began on Sunday afternoon.

    Germany has been the target of repeated cyber attacks in recent years.

    Reply
  3. Tomi Engdahl says:

    German ISP Confirms Malware Attacks Caused Disruptions
    http://www.securityweek.com/german-isp-confirms-malware-attacks-caused-disruptions

    German telecommunications giant Deutsche Telekom has confirmed that more than 900,000 of its 20 million fixed-line network customers experienced Internet disruptions due to malware attacks on their routers.

    In a press statement released on Monday, Deutsche Telekom said malicious actors had been trying to infect routers with malware, but the attempts failed, which led to 4-5 percent of devices crashing and preventing owners from going online.

    Since the malware only resides in the router’s memory, customers have been advised to reboot their devices in order to clean the infection. Deutsche Telekom has also released a firmware update that should prevent infections on its Speedport routers.

    Germany’s Federal Office for Information Security (BSI) reported that some government networks protected by the organization were also targeted in attacks. These attacks were mitigated by the existing protection mechanisms, the BSI said.

    Attacks have been observed in several countries. Researchers determined that a piece of malware based on Mirai, whose source code was leaked recently, has been using port 7547 to hijack routers and modems.

    Reply
  4. Tomi Engdahl says:

    100,000 UK Routers Likely Affected by Mirai Variant
    http://www.securityweek.com/100000-uk-routers-likely-affected-mirai-variant

    Approximately 100,000 UK TalkTalk and Post Office ISP users were affected by the recent Mirai attack that severely affected nearly a million Deutsche Telekom customers in Germany in late November. It was assumed that the UK victims were the outer ripples of the primary attack; and this was confirmed by a subsequent report that quoted the Mirai developer as apologizing for the effect on the Post Office. The UK disruption was apparently an accident and not done intentionally.

    This version of events is now questioned by the findings of Pen Test Partners. Senior consultant Andrew Tierney reported Friday that the effect on TalkTalk routers was different to the effect on Deutsche Telekom routers. “We can’t see what is causing the claimed ISP outages for TalkTalk and the Post Office reported in the press. It shouldn’t stop the router routing, and as of yet, the bots haven’t taken part in any attacks.”

    Pen Test Partners concluded, “Whilst the spread and purpose of the bot net is similar to Mirai, there are enough differences with this variant that it should really get a new name.”

    TR-064 worm. It’s not Mirai and the outages are interesting
    https://www.pentestpartners.com/blog/tr-064-worm-its-not-mirai-and-the-outages-are-interesting/

    We’ve been looking at the code behind the worm that’s exploiting TalkTalk, PostOffice and many other Zyxel routers using the Allegro RomPager HTTP server.

    What’s odd is that we can’t currently see why it’s causing outages, other than perhaps collapsing under the congestion of scanning for more vulnerable routers.

    The vulnerability is fairly simple, and relies on a series of mistakes.

    Port 7547 is open on these routers to listen for a “knock” to tell them to connect back to a provisioning server. It’s meant to be exposed to the WAN side of the router. This is part of TR-069, which has been discussed a lot in the past.

    Curiously, it also appears that TR-064 is also available on port 7547. TR-064 is called “LAN-Side DSL CPE Configuration”, and unsurprisingly, is only meant to be exposed on the LAN side of the router.

    The TR-064 specification requires authentication, but this seems to be missing.

    Reply
  5. Tomi Engdahl says:

    TalkTalk’s wi-fi hack advice is ‘astonishing’
    http://www.bbc.com/news/technology-38223805

    TalkTalk’s handling of a wi-fi password breach is being criticised by several cyber-security experts.

    The BBC has presented the company with evidence that many of its customers’ router credentials have been hacked, putting them at risk of data theft.

    The UK broadband provider confirmed that the sample of stolen router IDs it had been shown was real.

    But it is still advising users that there is “no need” to change their routers’ settings.

    A cyber-security advisor to Europol said he was astounded by the decision.

    “If TalkTalk has evidence that significant numbers of passwords are out in the wild, then at the very least they should be advising their customers to change their passwords,” said the University of Surrey’s Prof Alan Woodward.

    “To say they see no need to do so is, frankly, astonishing.”

    A spokeswoman for TalkTalk said that customers could change their settings “if they wish” but added that she believed there was “no risk to their personal information”.

    She referred the BBC to another security expert. But when questioned, he also said the company should change its advice.

    The BBC was subsequently contacted by someone who said he had access to a database of 57,000 router IDs that had been scraped before any fix had been rolled out.

    He did not reveal his identity, but agreed to share a sample of the credentials that had been harvested.

    The list contained details of about 100 routers including:

    their service set identifier (SSID) codes and media access control (MAC) addresses. These can be entered into online tools that reveal the physical location of the routers
    the router passwords, which would allow someone who travelled to the identified property to access the wi-fi network

    The source said he wanted to highlight the problem because other more malevolent actors might have carried out a similar operation.

    Prof Alan Woodward said once a hacker was outside a vulnerable property, they could:

    snoop in the resident’s data, which might be clearly visible or encrypted in ways that still allowed the original information to be easily recovered
    use the internet connection to mount an onward attack. The hacker could do this to hide their own identity or to co-opt the router to join an army of other compromised equipment in later DDoS (distributed denial of service) attacks
    log in to the router as the administrator and mount a “man in the middle attack”, where apparently secure communications could be listened in on
    substitute the router’s firmware with a modified version that provided a backdoor for later access even if the device was reset

    ‘Fast and loose’

    TalkTalk’s spokeswoman referred the BBC to Steve Armstrong, a cyber-security instructor that she said would support it on the matter.

    He said the risk to an individual user was relatively low.

    “If you look at the average home user and what is on their home network, that would be exposed to an attacker,… then there is not a great deal.

    “The risk is probably no higher than using a [coffee shop's] open wi-fi network.”

    But he added that he still felt TalkTalk was giving the wrong advice.

    “Part of my pushback to them is that they should be telling people, ‘You need to change your password,’” he said.

    Reply
  6. Tomi Engdahl says:

    Hacker Claims To Push Malicious Firmware Update to 3.2 Million Home Routers
    https://motherboard.vice.com/read/hacker-claims-to-push-malicious-firmware-update-to-32-million-home-routers

    One of the hackers who amassed a new massive army of zombie internet-connected devices that can launch disruptive cyberattacks—even by mistake—now claims to have taken control of 3.2 million home routers, taking advantage of a flaw that allowed anyone to connect to them.

    On Monday, the cybercriminal, who calls himself BestBuy, claimed to have set up a server that would automatically connect to vulnerable routers and push a malicious firmware update to them. This, he said, would grant him persistent access and the ability to lock out the owners as well as internet providers and device manufacturers.

    “They are ours, even after reboot. They will not accept any new firmware from [Internet Service Provider] or anyone, and connect back to us every time :),” BestBuy said in an online chat. “Bots that cannot die until u throw device into the trash.”

    Yet, they all agreed that BestBuy’s story was plausible, and potentially really bad news for the routers’ owners as well as their internet providers.

    “Jesus christ,” said Darren Martyn, a security researcher who’s been tracking the recent wave of cyberattacks coming from hacked Internet of Things devices infected with Mirai. “Assuming [the hackers] didn’t fuck up repacking the firmware, and they didn’t do anything spectacularly stupid when backdooring it, their firmware backdoors will probably work just fine.”

    None of the security researchers I contacted, however, could find one of the hacked routers in the wild.

    “[It] would mean patching firmware for each different model and possibly even for each ISP,” he told Motherboard in an online chat. “Some firmware takes 15 minutes to patch, other can take days. But it is easy to mess up.”

    Reply
  7. Tomi Engdahl says:

    Lucian Constantin / PCWorld:
    Many models of Netgear routers exposed to critical remotely-exploitable security flaw; affected users recommended to stop using routers until patch is available

    Nasty unpatched vulnerability exposes Netgear routers to easy hacking
    The flaw allows hackers to execute arbitrary shell commands on affected devices.
    http://www.pcworld.com/article/3149554/security/an-unpatched-vulnerability-exposes-netgear-routers-to-hacking.html

    Several models of Netgear routers are affected by a publicly disclosed vulnerability that could allow hackers to take them over.

    An exploit for the vulnerability was published Friday by a researcher who uses the online handle Acew0rm. He claims that he reported the flaw to Netgear in August, but didn’t hear back.

    The issue stems from improper input sanitization in a form in the router’s web-based management interface and allows the injection and execution of arbitrary shell commands on an affected device.

    The U.S. CERT Coordination Center (CERT CC) at Carnegie Mellon University rated the flaw as critical, assigning it a score of 9.3 out of 10 in the Common Vulnerability Scoring System (CVSS).

    Netgear confirmed the vulnerability over the weekend and said that its R7000, R6400 and R8000 routers might be vulnerable. However, another researcher performed a test and reported that other routers from Netgear’s Nighthawk line are also affected. These include: R7000, R7000P, R7500, R7800, R8500 and R9000.

    Since the vulnerability can be exploited with an HTTP request that doesn’t require authentication, hackers can attack the affected routers using cross-site request forgery attacks (CSRF). This works even when the routers don’t have their management interfaces exposed to the Internet.

    CSRF attacks hijack users’ browsers when visiting specifically crafted webpages and send unauthorized requests through them. This makes it possible for a malicious website to force a user’s browser to exploit the router over the LAN.

    CERT CC recommends that users stop using the affected routers until an official patch becomes available, if they can do so. However, there is a workaround that involves exploiting the flaw to stop the router’s web server and prevent future attacks.

    Reply
  8. Tomi Engdahl says:

    Lucian Constantin / PCWorld:
    Many models of Netgear routers exposed to critical remotely-exploitable security flaw; affected users recommended to stop using routers until patch is available

    Nasty unpatched vulnerability exposes Netgear routers to easy hacking
    The flaw allows hackers to execute arbitrary shell commands on affected devices.
    http://www.pcworld.com/article/3149554/security/an-unpatched-vulnerability-exposes-netgear-routers-to-hacking.html

    Several models of Netgear routers are affected by a publicly disclosed vulnerability that could allow hackers to take them over.

    An exploit for the vulnerability was published Friday by a researcher who uses the online handle Acew0rm. He claims that he reported the flaw to Netgear in August, but didn’t hear back.

    The issue stems from improper input sanitization in a form in the router’s web-based management interface and allows the injection and execution of arbitrary shell commands on an affected device.

    Reply
  9. Tomi Engdahl says:

    Hacker shows how easy it is to take over a city’s public Wi-Fi network
    A buffer overflow in a single router model could have endangered thousands of Wi-Fi users
    http://www.pcworld.com/article/3140627/security/hacker-shows-how-easy-it-is-to-take-over-a-citys-public-wi-fi-network.html

    In a perfect example of how public wireless networks can be dangerous for privacy and security, an Israeli hacker showed that he could have taken over the free Wi-Fi network of an entire city.

    On his way home from work one day, Amihai Neiderman, the head of research at Israeli cybersecurity firm Equus Technologies, spotted a wireless hotspot that he hadn’t seen before. What made it unusual was that it was in an area with no buildings.

    It turned out that the hotspot he saw, advertised as “FREE_TLV,” was part of the citywide free Wi-Fi network set up by the local administration of Tel Aviv, Israel. This made Neiderman wonder: How secure is it?

    Reply
  10. Tomi Engdahl says:

    TP-Link Debug Protocol Gives Up Keys To Kingdom
    http://hackaday.com/2016/12/14/tp-link-debug-protocol-give-up-keys-to-kingdom/

    Andres] wanted to install a custom OS firmware on a cheap home router, so he bought a router known to be reflashable only to find that the newer version of the firmware made that difficult. We’ve all been there.

    This is not a weekend hack — this took a professional many hours of serious labor. But it was made a lot easier because TP-Link left a debugging protocol active, listening on the LAN interface, and not requiring authentication.

    (It’s not a bug, it’s a feature!) But still, this is an awesome hack!

    Reply
  11. Tomi Engdahl says:

    Malvertising Campaign Infects Your Router Instead of Your Browser
    https://it.slashdot.org/story/16/12/14/2059217/malvertising-campaign-infects-your-router-instead-of-your-browser

    Malicious ads are serving exploit code to infect routers, instead of browsers, in order to insert ads in every site users are visiting. Unlike previous malvertising campaigns that targeted users of old Flash or Internet Explorer versions, this campaign focused on Chrome users, on both desktop and mobile devices. The malicious ads included in this malvertising campaign contain exploit code for 166 router models, which allow attackers to take over the device and insert ads on websites that didn’t feature ads, or replace original ads with the attackers’ own. Researchers haven’t yet managed to determine an exact list of affected router models, but some of the brands targeted by the attackers include Linksys, Netgear, D-Link, Comtrend, Pirelli, and Zyxel.

    Malvertising Campaign Infects Your Router Instead of Your Browser
    https://www.bleepingcomputer.com/news/security/malvertising-campaign-infects-your-router-instead-of-your-browser/

    Exploit kit searches for vulnerable routers, not browsers or Flash installs

    The way this entire operation works is by crooks buying ads on legitimate websites. The attackers insert malicious JavaScript in these ads, which use a WebRTC request to a Mozilla STUN server to determine the user’s local IP address.

    Based on this local IP address, the malicious code can determine if the user is on a local network managed by a small home router, and continue the attack. If this check fails, the attackers just show a random legitimate ad and move on.

    For the victims the crooks deem valuable, the attack chain continues. These users receive a tainted ad which redirects them to the DNSChanger EK home, where the actual exploitation begins.

    The next step is for the attackers to send an image file to the user’s browser, which contains an AES (encryption algorithm) key embedded inside the photo using the technique of steganography.

    The malicious ad uses this AES key to decrypt further traffic it receives from the DNSChanger exploit kit. Crooks encrypt their operations to avoid the prying eyes of security researchers.

    Malvertising campaign targets 166 router models

    After the user receives his encryption key, the DNSChanger exploit kit sends each victim a list of router “fingerprints.” Proofpoint researchers say they’ve seen the exploit kit serving 166 router fingerprints at the time of writing.

    The malicious ad uses these fingerprints to test the router type the user is using, and then report back to the exploit kit’s server.

    The DNSChanger EK replies back with exploit packages that can take over the router and change its DNS settings in order to relay traffic through the crooks’ servers.

    Attackers use compromised routers to replace ads in the user’s normal traffic

    Once the attack has gained control over the router, he can use it to replace legitimate ads with his own, or add advertisements on websites that didn’t feature ads.

    While previous malvertising campaigns usually targeted users of Internet Explorer, this campaign focused on Chrome users, on both desktop and mobile devices. Ad replacement and insertion also takes place on traffic to mobile devices, not just desktops.

    Updating router firmware is the recommended course of action

    Because the attack is carried out via the user’s browser, using strong router passwords or disabling the administration interface is not enough.

    The only way users can stay safe is if they update their router’s firmware to the most recent versions, which most likely includes protection against the vulnerabilities used by the DNSChanger EK.

    Reply
  12. Tomi Engdahl says:

    Malvertising Campaign Targets Routers
    http://www.securityweek.com/malvertising-campaign-targets-routers

    A recently observed malvertising campaign is focused on compromising user’s home routers rather than exploiting vulnerabilities in their browsers.

    Carried out by the actors behind the DNSChanger exploit kit (EK), the campaign doesn’t target browser or device vulnerabilities, but attempts to infect home or small office (SOHO) routers instead. The attackers use an improved version of the DNSChanger, which usually works through the Chrome browser on Windows desktops and Android devices, Proofpoint security researchers reveal.

    Once the targeted router has been compromised, however, users are exposed to further malvertising, regardless of the device, operating system, or browser they use. The security researchers also note that the attacks on routers happen in waves likely associated with ongoing malvertising campaigns lasting several days, and they appear related to the “CSRF (Cross-Site Request Forgery) Soho Pharming” operations in the first half of 2015.

    The campaign has grown from 55 fingerprints last year to 166, some of which are working for several router models, and the malvertising chain is now accepting Android devices as well, the security researchers explain.

    Reply
  13. Tomi Engdahl says:

    “Switcher” Android Trojan Hacks Routers, Hijacks Traffic
    http://www.securityweek.com/switcher-android-trojan-hacks-routers-hijacks-traffic

    Researchers at Kaspersky Lab have come across a new Android Trojan that hacks routers and changes their DNS settings in an effort to redirect traffic to malicious websites.

    Dubbed “Switcher,” the malware has been disguised as an Android client for the Chinese search engine Baidu, and a Chinese app for sharing Wi-Fi network details. Once users install one of these apps, the malware attempts to guess the username and password of the Wi-Fi router the infected Android device is connected to.

    Switcher includes a list of more than two dozen username and password combinations that could allow it to access the router’s web administration interface, such as admin:admin, admin:123456, or admin:00000000.

    “With the help of JavaScript it tries to login using different combinations of logins and passwords. Judging by the hardcoded names of input fields and the structures of the HTML documents that the trojan tries to access, the JavaScript code used will work only on web interfaces of TP-LINK Wi-Fi routers,” Nikita Buchka, mobile security expert at Kaspersky Lab, said in a blog post.

    Switcher: Android joins the ‘attack-the-router’ club
    https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/

    Recently, in our never-ending quest to protect the world from malware, we found a misbehaving Android trojan. Although malware targeting the Android OS stopped being a novelty quite some time ago, this trojan is quite unique. Instead of attacking a user, it attacks the Wi-Fi network the user is connected to, or, to be precise, the wireless router that serves the network. The trojan, dubbed Trojan.AndroidOS.Switcher, performs a brute-force password guessing attack on the router’s admin web interface. If the attack succeeds, the malware changes the addresses of the DNS servers in the router’s settings, thereby rerouting all DNS queries from devices in the attacked Wi-Fi network to the servers of the cybercriminals (such an attack is also known as DNS-hijacking). So, let us explain in detail how Switcher performs its brute-force attacks, gets into the routers and undertakes its DNS-hijack.

    Reply
  14. Tomi Engdahl says:

    Hacker Claims To Push Malicious Firmware Update to 3.2 Million Home Routers
    https://motherboard.vice.com/read/hacker-claims-to-push-malicious-firmware-update-to-32-million-home-routers

    One of the hackers who amassed a new massive army of zombie internet-connected devices that can launch disruptive cyberattacks—even by mistake—now claims to have taken control of 3.2 million home routers, taking advantage of a flaw that allowed anyone to connect to them.

    On Monday, the cybercriminal, who calls himself BestBuy, claimed to have set up a server that would automatically connect to vulnerable routers and push a malicious firmware update to them. This, he said, would grant him persistent access and the ability to lock out the owners as well as internet providers and device manufacturers.

    “They are ours, even after reboot. They will not accept any new firmware from [Internet Service Provider] or anyone, and connect back to us every time :),” BestBuy said in an online chat. “Bots that cannot die until u throw device into the trash.”

    Reply
  15. Tomi Engdahl says:

    Hundreds of Thousands of Netgear Routers Vulnerable to Password Bypass
    https://threatpost.com/hundreds-of-thousands-of-netgear-routers-vulnerable-to-password-bypass/123462/

    Hundreds of thousands–potentially more than one million–Netgear routers are susceptible to a pair of vulnerabilities that can lead to password disclosure.

    Researchers said that while anyone who has physical access to a router can exploit the vulnerabilities locally, the real threat is that the flaw can also be exploited remotely.

    the vulnerabilities can be remotely exploited if the router’s remote management option is enabled.

    While Netgear claims remote management is turned off on routers by default, Kenin said there are “hundreds of thousands, if not over a million” devices left remotely accessible.

    Reply
  16. Tomi Engdahl says:

    FYI: You can blow Intel-powered broadband modems off the ‘net with a ‘trivial’ packet stream
    All too easy to choke enemies’ gateways, it seems
    https://www.theregister.co.uk/2017/04/27/intel_puma6_chipset_trivial_to_dos/

    Broadband modems using Intel’s bungled Puma 6 chipset can be overloaded and virtually knocked offline by a trivial stream of packets, it is claimed.

    Effectively, if there’s someone you don’t like, and they are one of thousands upon thousands of people using a Puma 6-powered home gateway, and you know their IP address, you can kick them off the internet, we’re told.

    This week, inquisitive netizens discovered that, when presented with even modest amounts of packets – as little as 1.5Mbps – modems equipped with a Puma 6 can be slowed to a crawl.

    According to one engineer who spoke to El Reg on the issue, the flaw would be “trivial” to exploit in the wild and would effectively render the targeted box useless for the duration.

    “You send a stream of 200Kbps of TCP, UDP or maybe even ICMP to different port numbers and it has a tiny table to keep track of these and become immd unresponsive. It comes back after you stop,” our tipster explains.

    “It can be exploited remotely and there is no way to mitigate the issue.”

    This will be particularly frustrating for Puma 6 modem owners because the boxes are pitched as gigabit internet modems

    The Puma 6 chipset is used in a number of ISP-branded cable modems

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*