Network Of 300k Hacked Routers Uncovered

Thomas Brewster,
router internet DSL SOHO gateway broadband © Ensuper Shutterstock

Epic attack allows hackers to send victims to any IP address they choose

Hackers have managed to compromise at least 300,000 routers, which are potentially being used to redirect users to malicious websites.

Amongst the hacked “small office/home office (SOHO)” routers were those produced by TP-Link, D-Link, Micronet and Tenda. Weak authentication and vulnerabilities in both the routers’ firmware and their web application interfaces were all exploited in the attacks, according to security-focused non-profit Team Cymru.

Easy router attacks

One of the vulnerabilities used was a cross-site request forgery flaw, which meant that when a user visited a malicious website, the authentication for the router was handed to the attackers. The attack method is shown in the image below.

Cross Site Forgery Request flaw

The hackers also exploited a known flaw in ZyXEL ZynOS firmware on the routers, which meant it was possible to download the credentials directly from the devices using an unauthenticated web interface for the machines.

The attackers were seen changing the domain name system (DNS) configurations on the devices, meaning they were able to point them to any URL of their choosing.

Team Cymru is headquartered in Illinois and distributed round the world. The obviously Welsh name (pronounced “cum-ree”) was chosen by the group’s founders, two of whom – Rob Thomas and Neil Long – have Welsh heritage.

Most of the victims of the attack were based in Vietnam, although other victims lived in Italy, India and Thailand. The attacks date back to at least mid-December.

It appears the UK came away relatively unscathed, even though there were many victims across Europe.

Team Cymru attack geography

It’s currently unclear what the attackers want, however, as the IP addresses the victims were forwarded on to did not appear to contain anything obviously malicious.

But Team Cymru noted there were precedents for nasty attacks using such techniques. The hackers used compromised routers to send victims to fake sites, where they would be duped of their banking credentials. The crooks then sent text messages to trick the targets into handing over their second factor of authentication.

Earlier this year, a worm known as Moon was spreading across LinkSys routers, ostensibly to build up a network of infected devices.

What do you know about Internet security? Find out with our quiz!