London firm at centre of hack redirecting 300,000 routers
By Nicole Kobie
Posted on 3 Mar 2014 at 17:01
A London-registered company appears to be at the centre of a massive attack that's redirecting traffic from 300,000 routers, a security firm has said.
Florida-based security firm Team Cymru said it was examining a "widespread compromise" of consumer and small office/home office (SOHO) routers in Europe and Asia.
In January, the firm uncovered a "SOHO pharming" campaign that had overwritten DNS settings on 300,000 routers. That allows attackers to redirect traffic to sites and domains controlled by them, "effectively conducting a man-in-the-middle attack," the company's report said.
If your router's been hijacked and is pointing to someone else's DNS server, you really have no trust over what you're actually getting
"If [your router's] been hijacked and is pointing to someone else's DNS server, you really have no trust over what you're actually getting - you could be getting the bad guy's version of Google, or your bank site," Team Cymru spokesman Steve Santorelli told PC Pro. "It's very clever."
The routers' DNS settings were changed to two IP addresses, both of which are for machines that are physically in the Netherlands, but registered with UK company 3NT Solutions, he said.
"The analogy I'd use is there's a bank robbery in Utrecht, for example, and the police stop the car," Santorelli said. "The car used is actually there physically in Holland, but it's registered to someone in the UK."
The website for 3NT Solutions was offline at the time of writing and the company could not be reached for comment. Its registered address is a Mailboxes Etc location in central London.
The company caught the eye of security researcher Conrad Longmore, who posted his "reservations" about 3NT Solutions on his Dynamoo blog last week.
"Alright, let's cut a long story short because we know who this is... it's Serbian web host inferno.name who have featured on this blog several times before all the way back to 2011," he said. "Similar records exist on all of 3NT's ranges, linking them firmly with inferno.name."
Longmore described 3NT/Inferno.name as a "known bad actor" that ran malicious and "spammy" sites - and advised admins to "block all their IPs on sight".
Cymru's Santorelli stressed that the router attack was serious. "It's not new as an issue to the InfoSec community but this is one of the biggest we've seen recently as it's quite insidious," he said.
Santorelli said that rather than delay reporting the flaw, his firm notified authorities and took it public immediately. "This is kind of a sea-change in the way people have been approaching security," he said. "This isn't the first time this kind of thing's been spotted, but it's certainly the biggest in recent memory."
The attack affects devices from several manufacturers, the firm said said, adding that "consumer unfamiliarity" with configuring routers and weak default settings makes the devices a "very attractive target".
Santorelli said the problem wasn't a hardware flaw, but weaknesses in ZyXEL's widely used router firmware, ZynOS.
"It's about the people who write the original firmware... this is ubiquitous firmware," he said. "It's on all these very good value, cheap routers - it's really a firmware vendors' problem than a hardware manufacturers' problem."
However, he added that Cymru Team didn't want to single out any one company or manufacturer as the cause of the problem, saying such attacks were a "natural evolution" in the security battle. "It's just another thing you need to check - but unfortunately there isn't antivirus for routers."
It's not just about password control and antivirus on your laptop, now you've got to look at all... stages of how the packet gets from your Google search, out to Google, and back again
"It's not just about password control and antivirus on your laptop, now you've got to look at all... stages of how the packet gets from your Google search, out to Google, and back again," Santorelli said.
To stay safe, Santorelli recommended checking your router's DNS settings, ensuring that the IP addresses you end up at are legitimate, and updating your firmware.
The report added that if the attackers' servers are shut down, it could cause trouble for victims. "As with the DNSChanger malware, unwitting victims are vulnerable to a loss of service if the malicious servers are taken down, as both primary and secondary DNS IP addresses are overwritten, complicating mitigation," the report added.
Unsafe at any speed?
Sounds pretty serious. I thought that a department of Ofcom or Mi6 or GCHQ were employed to check that routers imported into the UK were not vulnerable? Especially the likes of TP-Link.
Can you confirm that only ZyXel routers are affected at this point in time? Ta.
By Natasha26 on 4 Mar 2014
They're all waiting...
If you had developed a nasty virus or whatever for XP, would you release it now, or wait until April the 9th...
By roblightbody on 4 Mar 2014
Read the text, it refers to dlink routers and specifically any routers using firmware supplied by zyxel to other companies so many different makes of routers.
By irturner on 6 Mar 2014
That would be GCHQ reading your e-mails then.
By MeesterChris on 8 Mar 2014
- How to check your identity hasn’t been sold to the hackers
- Tim Cook: this is how much TV has changed since the 70s
- Westminster wins the .London battle
- 20 years of PC Pro: from deep pan pizza to virtualisation
- Five reasons why the Apple Watch leaves me cold
- Apple Watch, iPhone 6 and 6 Plus: Tim Cook's Apple back with a bang?
- BT Home Hub 5: how to get maximum speed
- 20 years of PC Pro: one-star reviews (including "the worst tablet we've ever seen")
- 20 years of PC Pro: our best covers
- Why we've closed the PC Pro forums
- How to write your company's IT security policy
- The key to choosing a secure password
- Please stop reposting fake Facebook messages
- Is Facebook safe for business?
- Don't rely on Chrome's password vault
- Facebook Graph Search: don't panic
- Gmail drafts and Pastebin: could they evade the email snoops?
- Applying for a job at GCHQ? Here's your plain-text password
- Google two-step verification: a must for business email
- Yes, I write down my passwords