Incident Response, Malware, TDR

Attackers alter DNS configurations remotely, compromise 300K routers

Attackers have remotely altered DNS configurations for more than 300,000 small office/home office (SOHO) routers, subsequently opening up victims to a host of compromises, according to researchers with Team Cymru's Threat Intelligence Group.

“Attackers are altering the DNS configuration on these devices in order to redirect victims DNS requests and subsequently replace intended answers with IP addresses and domains controlled by the attackers, effectively conducting a Man-in-the-Middle attack,” according to a Team Cymru report.

Team Cymru researchers observed about 80 routers that were confirmed to be compromised, and while most of the victims were located in Poland and Russia, others were observed to be residing in Belgium, China, Italy, the U.K. and the U.S., according to the report. 

Because of the number of compromised individuals and their random locations, what this likely means is that attackers are carrying out typical automated crimes, such as search result redirection, replacing of advertisements, or installing malware or other applications via drive-by downloads, according to the report.

The attack is made possible due to default SOHO settings that are vulnerable to password guessing, as well as brute force log-on attempts because the graphical user interface was accessible from the internet, according to the report, which adds that compromise via Cross-Site Request Forgery may also be possible.

“A considerable number of the remotely accessible devices also appeared vulnerable to the “ROM-0” vulnerability published in early January,” according to the report. “This vulnerability in ZyXEL's ZynOS allows attackers to download the router's configuration file from the unauthenticated GUI URL https://[IP address]/rom-0.”

The report explains, “While the resulting ROM-0 file still has to be decompressed, this process is trivial with available tools, and automated attack scripts are available online which explicitly call out the ability to change DNS settings.”

The solution to the problem does not appear to be all inclusive.

In a Tuesday email correspondence, Nathaniel Couper-Noles, principal security consultant at Neohapsis, told SCMagazine.com that it is hard to rely on vendors to consistently release firmware updates. He added that when they do, the patches may negatively impact other features pivotal for businesses and consumers.

“Long term, it would be great if SOHO devices were better designed, if firmware was open, and if vendors provided security guidance,” Couper-Noles said. “I would recommend prospective buyers to inquire with vendors as to the level of support, openness and documentation provided prior to acquisition, as well as to pick solutions that are aligned to existing or planned enterprise operations capabilities.”

On the flip side, Patrick Thomas, security consultant at Neohapsis, told SCMagazine.com in a Tuesday email correspondence that most users want to interact with these devices as little as possible, and that manufacturers must not overlook the importance of secure default settings.

“Home router manufacturers haven't yet had the incentive to make security a priority since consumers tend to think of the devices as commodity hardware, and rarely think of the software at all,” Thomas said. “So we have a situation where devices with insufficient security mechanisms are being widely deployed by users who have essentially no ability to maintain them or detect issues. It creates a very ripe target.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.