Attack campaign compromises 300,000 home routers, alters DNS settings

A group of attackers managed to compromise 300,000 home and small-office wireless routers, altering their settings to use rogue DNS servers, according to Internet security research organization Team Cymru.

In January, Team Cymrus researchers identified two TP-Link wireless routers whose settings were altered to send DNS (Domain Name System) requests to two particular IP addresses: 5.45.75.11 and 5.45.76.36. An analysis of the rogue DNS servers running at those IP addresses revealed a mass-scale compromise of consumer networking devices.

Over a one-week period, more than 300,000 unique IP addresses sent DNS requests to the two servers, the Team Cymru researchers said in a report released Monday. Many of those IP addresses corresponded to a range of routers, including models from D-Link, Micronet, Tenda, TP-Link and other manufacturers, that had their DNS settings maliciously altered, they said.

The researchers believe those devices were compromised using different techniques that exploit several known vulnerabilities. Many of the affected devices had their administrative interfaces accessible from the Internet, making them susceptible to brute-force password-guessing attacks or unauthorized access using default credentials, if their owners didnt change them, the researchers said.

A considerable number of devices also appeared to be vulnerable to a security flaw reported in January in ZynOS, a router firmware created by ZyXEL Communications thats also used on router models from other manufacturers. That vulnerability allows attackers to remotely download a file containing the configuration of vulnerable routers without authentication and parse it to extract the password for the routers administrative interface.

According to the Team Cymru researchers, its also likely that attackers used cross-site request forgery (CSRF) to exploit vulnerabilities in TP-Link routers that have been known since last year.

CSRF attacks involve placing malicious code on a website to force visitors browsers to send specially crafted requests to a third-party URL. If the users are authenticated on the third-party site and the site has no CSRF protection, the malicious requests can abuse the users access on that site to perform unauthorized actions. This type of attack is also known as session riding.

Attackers can use CSRF techniques to attack routers when their administration interfaces are only accessible from the local area network by proxying requests through their owners browsers and leveraging their authenticated sessions.

The Team Cymru researchers noted two vulnerabilities reported in various TP-Link router models last year that are known to have been targeted through CSRF attacks. One allows attackers to replace the administrator password with a blank one and the other allows changing the routers DNS settings, even if the rogue request contains bogus credentials.

The first vulnerability was tested successfully against a TP-Link TD-8840T router running firmware version 3.0.0 build 120531 that was one of the first victim devices identified in the attack campaign, the researchers said. The second vulnerability reportedly affects TP-Link WR1043ND, TL-MR3020 and TL-WDR3600 running various firmware versions, but other models might also be affected.

Continue reading here:
Attack campaign compromises 300,000 home routers, alters DNS settings