Thousands of routers hijacked
Posted by: Timothy Weaver on 05/16/2015 09:11 AM
[
Comments
]
According to researcher at security firm Incapsula, routers with outdated firmware and default passwords are being targeted by hackers.
The routers that are being targeted all come from US vendor Ubiquiti. The hackers are able to use the default password and user name to access the routers.
Once they have admin access, they are loading the routers with malware such as the MrBlack malware (a.k.a. Trojan.Linux.Spike.A). The hacked routers are being used to launch DDoS attacks.
These vulnerabilities opened up the routers to eavesdropping, man-in-the-middle attacks, cookie hijack, and gave hackers the ability to gain access to other local network devices.
In addition, the routers can scan for other infected devices and create a botnet.
Incapsula said: “Facilitating the infiltration, all of these under-secured routers are clustered in the IP neighborhoods of specific ISPs that provide them in bulk to end-users. For perpetrators, this is like shooting fish in a barrel, which makes each of the scans that much more effective. Using this botnet also enables perpetrators to execute distributed scans, improving their chances against commonplace blacklisting, rate-limiting and reputation-based defense mechanisms.”
Traffic was recorded from 40,269 IPs belonging to 1,600 ISPs worldwide. 60 command and control servers have been detected, 21% in the US and 73% in China.
Source: SCMagazineUK
The routers that are being targeted all come from US vendor Ubiquiti. The hackers are able to use the default password and user name to access the routers. Once they have admin access, they are loading the routers with malware such as the MrBlack malware (a.k.a. Trojan.Linux.Spike.A). The hacked routers are being used to launch DDoS attacks.
These vulnerabilities opened up the routers to eavesdropping, man-in-the-middle attacks, cookie hijack, and gave hackers the ability to gain access to other local network devices.
In addition, the routers can scan for other infected devices and create a botnet.
Incapsula said: “Facilitating the infiltration, all of these under-secured routers are clustered in the IP neighborhoods of specific ISPs that provide them in bulk to end-users. For perpetrators, this is like shooting fish in a barrel, which makes each of the scans that much more effective. Using this botnet also enables perpetrators to execute distributed scans, improving their chances against commonplace blacklisting, rate-limiting and reputation-based defense mechanisms.”
Traffic was recorded from 40,269 IPs belonging to 1,600 ISPs worldwide. 60 command and control servers have been detected, 21% in the US and 73% in China.
Source: SCMagazineUK
Comments
