SOHO pharming attack hit more that 300,000 devices worldwide

Researchers at Team Cymru published a detailed report on a large scale SOHO pharming attack that hit more that 300,000 devices worldwide.

Another mass compromise of small office/home office (SOHO) wireless routers has been uncovered by researchers from security firm Team Cymru. The hackers adopted different techniques to exploit the numerous flaws discovered in the last months in the principal wireless routers (Asus, D-Link, Cisco, Linksys,Micronet,  Netgear,  Tenda, TP-Link).

The vulnerabilities were exploited to change the network setting for more than 300,000 SOHO wireless routers, making changes to DNS attackers were able to redirect users to malicious servers controlled by attackers.

A few weeks ago The Polish Computer Emergency Response Team has documented a series of cyber attacks observed in Poland involved cybercriminals hacking into home routers and changing their DNS settings so they can conduct MITM attacks on online banking connection. The techniques could be used to target also users from other countries and exploits several vulnerabilities in home routers, with this method the attackers configured routers to use a DNS server under their control to respond to rogue IP addresses to DNS queries for the domain names they have targeted.

The router “pharming” campaign unrevealed by Team Cymru seems to be distinct from the attacks spotted by Polish CERT, it involved a greater number of machines in a wider geographic area.

“The affected devices we observed were vulnerable to multiple exploit techniques, including a recently disclosed authentication bypass vulnerability in ZyXEL Cirmware and Cross-Site Request Forgery (CSRF) techniques similar to those reported in late 2013. “

“This large-scale attack has similarities with a recent, highly targeted attack against Polish consumer bank customers, though subtle differences in tradecraft point to these being separate campaigns. We also believe that this activity is separate from the Linksys Moon worm recently reported by the SANS Institute.”  reported the executive summary of SOHO pharming report.

The attackers also exploited CSRF techniques to change WPA/WPA2 passwords for SOHO devices and other settings to gain complete remote control of the wireless routers.

To discover if we SOHO device has been compromised, it is possible to verify the DNS settings, affected devices use the IP addresses 5.45.75.11 and 5.45.75.36. The analysis of the experts at Team Cymru revealed that the majority of affected SOHO devices is located in Vietnam, Columbia, India and Thailand and unfortunately my country Italy.

Through the change of DNS setting an attacker could redirect users to a website used to steal banking credentials or to serve a malware.

” suggests a more traditional criminal intent, such as search result redirection, replacing advertisements, or installing drive-by downloads; all activities that need to be done on a large scale for profitability,”  “The more manually intensive bank account transfers seen in Poland would be difficult to conduct against such a large and geographically-disparate victim group.”

This kind of attacks are very dangerous also considering because they target weaknesses in SOHO devices running embedded software.

“As embedded systems begin to proliferate in both corporate and consumer networks, greater attention needs to be given to what vulnerabilities these devices introduce,” “Security for these devices is typically a secondary concern to cost and usability and has traditionally been overlooked by both manufacturers and consumers.” reported the Team Cymru.

To protect SOHO devices from the attack disable any type of remote administration access from the Internet and change default usernames and passwords. Be sure to install the latest-available version of the firmware for your SOHO devices.

Please read the report and share it!

Pierluigi Paganini

(Security Affairs –  SOHO wireless routes, hacking)