Home / Blog / Domestic routers in the spotlight

Domestic routers in the spotlight

Posted on 09/24/2015, by Francisco J. Rodríguez (INCIBE)
spotlight

Not only are our mobile devices or personal computers with an internet connection exposed to different kinds of cyber-attacks, our domestic routers could compromise our security and privacy, due to vulnerabilities, poor configuration or default access passwords or those that are too weak. These risks are enhanced by their regular exposure to the Internet if appropriate measures are not taken to disable their public access or disconnect them. This, in addition to the enormous amount of devices and the variety of manufacturers make domestic routers targets of high interest for cyber-criminals.

Recently, in September there were reports of a case in which a vulnerability in the UPNP protocol of certain routers exposed the LAN to cyber-attacks: http://securityaffairs.co/wordpress/39787/hacking/filet-o-firewall-flaw.html.

During the last few months thanks to the use of a monitoring platform and the sensors deployed at INCIBE many attacks were detected whose target were domestic routers, supplied by different ISP (some amongst them were Spanish).

Below we describe the behaviour of attacks observed that were mainly directed against domestic routers.

Ataques contra servicio SSH

In August attacks were detected whose main target were Linux routers with ARM, x86, MIPSEL and MIPS architecture, with the SSH service exposed to the internet and with weak credentials.

Our sensors detected a total of 104 with 38 different origins, amongst them Spain. Spain was an attack destination country, one of a wide range of countries targeted in a worldwide scan.

Statistical

- Statistical data of countries where SSH attacks against domestic routers originated -

All of these attacks follow the same pattern: a previously infected host carries out a brute force attack with the following credentials:

  • root/root
  • admin/admin
  • ubnt/ubnt

The list of hosts to attack is randomly generated within a range determined by the attacking machine and, through the SSH protocol, attempts are made to connect with the abovementioned credentials. For example, one list of targets detected was found in network segment 179.143.0.0/16 (managed by the Brazilian ISP NEXTEL):

Example of a random range of IP

- Example of a random range of IP addresses to scan -

As well as the scan, different DNS request were carried out:

DNS requests carried out by the malware

- DNS requests carried out by the malware -

If the attacker gains access to the machine attacked using the test credentials, they will download files and run them. They will previously check the architecture of the machine and depending on it, they will download one file or another.

Commands executed by the malware to determine the system’s version

- Commands executed by the malware to determine the system’s version -

After checking the type and version of the operating system and once the appropriate file is downloaded for the compromised computer, the latter begins to carry out the same activities as the attacker that infected it.

This system becomes part of a group of routers that are used to download and run other types of malware with different objectives, such as DDOS attacks.

Some antivirus companies have this type of malware catalogued. A detailed description can be obtained at the following link: http://vms.drweb-av.es/virus/?i=7299536

Attacks against Telnet services

Our sensors detected an increase in the search for vulnerable TELNET services. In only 48 hours a total of 5288 access attempts were detected, of which 182 gained access with default credentials and downloaded malware onto the system attacked. A total of 35 unique attacking IP addresses against this service were obtained.

We must highlight the fact that the attacking IPs correspond to domestic routers that belong to different providers from various countries that provide access to the control panel from the internet with default credentials or even without authentication necessary for access.

The malware on this occasion downloaded many samples compiled for different architectures and ran all of them, without checking the router architecture.

The malware downloads and tests different malicious files precompiled in different architectures

- The malware downloads and tests different malicious files precompiled in different architectures -

The system infected, after it being verified that it has connectivity to the internet, initiates attacks against a large number of hosts:

Tests and attacks over several IP

- Tests and attacks over several IP addresses and services -

The infected domestic router is controlled by a Command and Control (C&C) centre to which it sends commands for carrying out different malicious actions:

Sample of communication between an infected host and its C&C

- Sample of communication between an infected host and its C&C. Observe the commands -

As can be observed, the geographic distribution covers a wide area worldwide:

Origins of attacking IPs

- Origins of attacking IPs -

Models of behaviour and types of routers compromised

The following are some of the operations and commands executed:

Sample of commands executed and actions carried out by the malware

- Sample of commands executed and actions carried out by the malware -

The types of routers compromised are varied and from different manufacturers. Amongst those detected are the following models:

  • NUCOM
  • ULUSNET_WIMAX_CPE
  • Zyxel P-2612HNU-F
  • Dlink DSL-2750U
  • DD-WRT
  • AirOS

The following are some of the control panels exposed:

Router Zyxel

- Router Zyxel -

nucom

- Router NuCom -

Control panel of a domestic router commonly used in Brazil

- Control panel of a domestic router commonly used in Brazil -

The most downloaded sample in the attacks showed these results in an analysis by Virus Total:

virustotal

- Analysis obtained by Virus Total -

Regarding the information collected, we have the following figures on the distribution of attackers:

Statistical

- Statistical data obtained from the samples collected: Origins of attacking IPs -

As can be observed, the attacks against Spanish domestic routers not only originate outside of Spain, but they can also originate from compromised routers located in Spain. The origin of malware downloads is, in the majority of cases, the USA.

Autonomous systems or ASN responsible for certain IP ranges to which attacks belong are:

List of ASN responsible for IP affected

- List of ASN responsible for IP affected -

The user/password list used for access attempts is:

The user/password list used for attacking

- The user/password list used for attacking -

Default Security, a true problem

Once again the success of these campaigns is ensured by poor practices by manufacturers and users since they do not pay enough attention to the security of devices with internet access. As always, at INCIBE we recommend securing all of our devices with network connectivity including our domestic routers, which are generally forgotten. As such, some good practices to carry out involve the use of strong passwords and not exposing services on the internet if it is not strictly necessary, thus eliminating a major and widely exploited vector of attack.