The US-based research firm announced on 3 March that it has uncovered a 'Man in the Middle' campaign dating back to at least mid-December that infiltrated more than 300,000 small office/home office (SOHO) gateway devices from manufacturers including D-Link, Micronet, Tenda, TP-Link and others.
So far, Team Cymru said the affected users are mainly from Vietnam, followed by India, Italy, Thailand and Cambodia. But in just one week it tracked victims from 12 other countries as well, including the US, Spain and Russia.
The attackers hack the routers by overwriting their DNS settings and redirecting all internet traffic from the device to their own servers, potentially enabling them to capture the user's credentials such as user name and password.
The attack is the latest in a series targeting wireless routers. Last month, the US SANS Institute discovered the so-called Moon worm spreading through Linksys servers, and Team Cymru has spotted similarities between the latest attack and another recent router exploit targeting customers of Polish retail banks.
In the current case, the researchers say: “The scale of this attack suggests a more traditional criminal intent, such as search result redirection, replacing advertisements, or installing drive-by downloads, all activities that need to be done on a large scale for profitability.” Team Cymru has informed law enforcement agencies.
But the firm is warning security professionals that routers are an enterprise vulnerability: “As the bar is increasingly raised for compromising end point workstations, cyber criminals are turning to new methods to achieve their desired goals. By compromising one SOHO router, an attacker can redirect traffic for every device in that network.
“As embedded systems begin to proliferate in both corporate and consumer networks, greater attention needs to be given to what vulnerabilities these devices introduce. Security for these devices is typically a secondary concern to cost and usability and has traditionally been overlooked by both manufacturers and consumers.”
Security expert Brian Honan of BH Consulting agrees that these devices present an opening for cyber criminals.
He told SCMagazineUK.com via email: “Given the challenges that consumers and small businesses have in protecting their computers by using anti-virus software and patching them regularly, protecting consumer-level devices such as routers will be a challenge. Many ordinary users simply turn on their routers and may not know how to update or manage them. It will be interesting to see how manufacturers and ISPs will rise to this challenge.”
Team Cymru warns: “With the release of the exploit code for the Moon worm available online, and the mBank campaign gaining more attention every day, we expect to see more and more malicious activity targeting SOHO devices and other embedded systems.”
Adrian Culley, global technical consultant with Damballa, focused on what the device manufacturers need to do to safeguard users. He said in an emailed comment to journalists: “Vendors must work with the understanding that their routers, just like any other part of the network, are constantly targeted in cyber attacks. It is the vicarious responsibility of firms who provide routers to homes and business to ensure that their product is built with the presumption it will be continuously probed and attacked to ensure safety of the end user.”
Research by Tripwire suggests that 80 percent of Amazon's top 25 best-selling SOHO wireless router models have security vulnerabilities. Tripwire security researcher Craig Young said in an emailed comment: “Routers are an ideal target for cyber attackers because they can be used to eavesdrop on traffic sent to and from nearby enterprise access points.”
Team Cymru advises: “Organisations concerned that their customers and external partners could be victims of this type of attack should urge them to review their local router settings and security policies and contact their upstream service provider for assistance if necessary.
“SOHO devices should have remote user-mode administration features and GUIs disabled or, at a minimum, restricted through ACLs to only those IPs required for regular administration. Management interfaces open to the internet create an easily detectable and exploitable vulnerability and should be disabled immediately if found.
“For larger corporate networks, security professionals could also deploy HTML code to their externally facing servers to attempt to detect remote users' DNS settings, and potentially block users with compromised DNS settings.”
Team Cymru's 'SOHO Pharming' white paper is available here.