London firm at centre of hack redirecting 300,000 routers

3 Mar 2014
routers

Attackers have overwritten DNS settings on 300,000 routers, highlighting a security weakness in their firmware

A London-registered company appears to be at the centre of a massive attack that's redirecting traffic from 300,000 routers, a security firm has said.

Florida-based security firm Team Cymru said it was examining a "widespread compromise" of consumer and small office/home office (SOHO) routers in Europe and Asia.

In January, the firm uncovered a "SOHO pharming" campaign that had overwritten DNS settings on 300,000 routers. That allows attackers to redirect traffic to sites and domains controlled by them, "effectively conducting a man-in-the-middle attack," the company's report said.

If your router's been hijacked and is pointing to someone else's DNS server, you really have no trust over what you're actually getting

"If [your router's] been hijacked and is pointing to someone else's DNS server, you really have no trust over what you're actually getting - you could be getting the bad guy's version of Google, or your bank site," Team Cymru spokesman Steve Santorelli told PC Pro. "It's very clever."

Company links

The routers' DNS settings were changed to two IP addresses, both of which are for machines that are physically in the Netherlands, but registered with UK company 3NT Solutions, he said.

"The analogy I'd use is there's a bank robbery in Utrecht, for example, and the police stop the car," Santorelli said. "The car used is actually there physically in Holland, but it's registered to someone in the UK."

The website for 3NT Solutions was offline at the time of writing and the company could not be reached for comment. Its registered address is a Mailboxes Etc location in central London.

The company caught the eye of security researcher Conrad Longmore, who posted his "reservations" about 3NT Solutions on his Dynamoo blog last week.

"Alright, let's cut a long story short because we know who this is... it's Serbian web host inferno.name who have featured on this blog several times before all the way back to 2011," he said. "Similar records exist on all of 3NT's ranges, linking them firmly with inferno.name."

Longmore described 3NT/Inferno.name as a "known bad actor" that ran malicious and "spammy" sites - and advised admins to "block all their IPs on sight".

Attractive Target

Cymru's Santorelli stressed that the router attack was serious. "It's not new as an issue to the InfoSec community but this is one of the biggest we've seen recently as it's quite insidious," he said.

Santorelli said that rather than delay reporting the flaw, his firm notified authorities and took it public immediately. "This is kind of a sea-change in the way people have been approaching security," he said. "This isn't the first time this kind of thing's been spotted, but it's certainly the biggest in recent memory."

The attack affects devices from several manufacturers, the firm said said, adding that "consumer unfamiliarity" with configuring routers and weak default settings makes the devices a "very attractive target".

Indeed, security researchers at Tripwire spotted a series of flaws in routers last year, while D-Link rushed out a patch to fix a back door to admin settings.

Santorelli said the problem wasn't a hardware flaw, but weaknesses in ZyXEL's widely used router firmware, ZynOS.

"It's about the people who write the original firmware... this is ubiquitous firmware," he said. "It's on all these very good value, cheap routers - it's really a firmware vendors' problem than a hardware manufacturers' problem."

However, he added that Cymru Team didn't want to single out any one company or manufacturer as the cause of the problem, saying such attacks were a "natural evolution" in the security battle. "It's just another thing you need to check - but unfortunately there isn't antivirus for routers."

It's not just about password control and antivirus on your laptop, now you've got to look at all... stages of how the packet gets from your Google search, out to Google, and back again

"It's not just about password control and antivirus on your laptop, now you've got to look at all... stages of how the packet gets from your Google search, out to Google, and back again," Santorelli said.

Mitigation techniques

To stay safe, Santorelli recommended checking your router's DNS settings, ensuring that the IP addresses you end up at are legitimate, and updating your firmware.

The report added that if the attackers' servers are shut down, it could cause trouble for victims. "As with the DNSChanger malware, unwitting victims are vulnerable to a loss of service if the malicious servers are taken down, as both primary and secondary DNS IP addresses are overwritten, complicating mitigation," the report added.

Read more

News