Incident Response, Malware, TDR, Vulnerability Management

Under-secured SOHO routers leveraged in DDoS attack campaign

Since December 2014, dozens of Incapsula customers have been the target of a distributed denial-of-service (DDoS) botnet comprised of tens of thousands of predominately small office/home office (SOHO) routers – many of which are ARM-based Ubiquti Networks devices.

In the campaign, which involves application layer HTTP flood attacks, Incapsula found that each compromised router was, on average, infected with four variants of MrBlack malware, which is used for DDoS attacks, according to a Tuesday post.

More than 85 percent of compromised routers are in Thailand and Brazil, with 73 percent of command-and-control systems located in China and 21 percent located in the U.S.

Careless security practices enabled the threat, the post indicated, stating that “all units are remotely accessible via HTTP and SSH on their default ports” and that “nearly all are configured with vendor-provided default login credentials.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.