Attackers alter DNS configurations remotely, compromise 300K routers

Share this article:

Attackers have remotely altered DNS configurations for more than 300,000 small office/home office (SOHO) routers, subsequently opening up victims to a host of compromises, according to researchers with Team Cymru's Threat Intelligence Group.

“Attackers are altering the DNS configuration on these devices in order to redirect victims DNS requests and subsequently replace intended answers with IP addresses and domains controlled by the attackers, effectively conducting a Man-in-the-Middle attack,” according to a Team Cymru report.

Team Cymru researchers observed about 80 routers that were confirmed to be compromised, and while most of the victims were located in Poland and Russia, others were observed to be residing in Belgium, China, Italy, the U.K. and the U.S., according to the report. 

Because of the number of compromised individuals and their random locations, what this likely means is that attackers are carrying out typical automated crimes, such as search result redirection, replacing of advertisements, or installing malware or other applications via drive-by downloads, according to the report.

The attack is made possible due to default SOHO settings that are vulnerable to password guessing, as well as brute force log-on attempts because the graphical user interface was accessible from the internet, according to the report, which adds that compromise via Cross-Site Request Forgery may also be possible.

“A considerable number of the remotely accessible devices also appeared vulnerable to the “ROM-0” vulnerability published in early January,” according to the report. “This vulnerability in ZyXEL's ZynOS allows attackers to download the router's configuration file from the unauthenticated GUI URL http://[IP address]/rom-0.”

The report explains, “While the resulting ROM-0 file still has to be decompressed, this process is trivial with available tools, and automated attack scripts are available online which explicitly call out the ability to change DNS settings.”

The solution to the problem does not appear to be all inclusive.

In a Tuesday email correspondence, Nathaniel Couper-Noles, principal security consultant at Neohapsis, told SCMagazine.com that it is hard to rely on vendors to consistently release firmware updates. He added that when they do, the patches may negatively impact other features pivotal for businesses and consumers.

“Long term, it would be great if SOHO devices were better designed, if firmware was open, and if vendors provided security guidance,” Couper-Noles said. “I would recommend prospective buyers to inquire with vendors as to the level of support, openness and documentation provided prior to acquisition, as well as to pick solutions that are aligned to existing or planned enterprise operations capabilities.”

On the flip side, Patrick Thomas, security consultant at Neohapsis, told SCMagazine.com in a Tuesday email correspondence that most users want to interact with these devices as little as possible, and that manufacturers must not overlook the importance of secure default settings.

“Home router manufacturers haven't yet had the incentive to make security a priority since consumers tend to think of the devices as commodity hardware, and rarely think of the software at all,” Thomas said. “So we have a situation where devices with insufficient security mechanisms are being widely deployed by users who have essentially no ability to maintain them or detect issues. It creates a very ripe target.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Florida Supreme Court rules warrants a must for real-time cell location tracking

Florida Supreme Court rules warrants a must for ...

The Florida Supreme Court put the kibosh on warrantless real-time tracking using location data obtained from cell phone providers.

Modular malware for OS X includes backdoor, keylogger components

Modular malware for OS X includes backdoor, keylogger ...

The modular malware was named "Ventir," by researchers at Kaspersky.

Fake Dropbox login page nabs credentials, is hosted on Dropbox

Fake Dropbox login page nabs credentials, is hosted ...

Symantec researchers received a phishing email linking recipients to a fake Dropbox login page that is hosted on Dropbox's user content domain and served over SSL.