Millions of attempts to scan for a Netis Systems router backdoor have been registered since August, Trend Micro researchers said.
Over two years ago, routers produced by Netis Systems, part of China’s Netcore Group, suffered from a backdoor that could provide an attacker with complete control over the device.
To take it over, the attacker only needed to know the router’s external IP address and then he or she could gain access to it through the UDP port 53413, after which they could access the backdoor by entering a password hardcoded in the firmware.
With full control over the affected devices, an attacker could modify settings to carry out man-in-the-middle attacks among others, researchers said.
On top of that, the documentation attached to the routers didn’t mention anything about the backdoor and how it could be used.
The backdoor continues to undergo usage, based on data gathered by one of Trend Micro’s TippingPoint Digital Vaccine (DV) filters. DV filter 32391, designed to check for any attempt to scan for this specific backdoor, shows a massive amount of backdoor communication attempts.
The security firm’s reporting dashboard known as ThreatLinQ detected around 2.9 million hits since the filter released in August, Trend Micro’s Steve Povolny said in a blog post.
These statistics end up based on 5 percent of customer filter hits, meaning over 57 million events have been registered in the timeframe, he said.
Researchers decided to analyze the pcaps from the TippingPoint devices and discovered all of them are true positives. Thus, they decided to deepen their search and discovered a number of public exploit or scanning tools designed to leverage this backdoor functionality specifically.
“Of interest is the fact that for the nearly 50,000 events that we saw on a single IPS in the last week, the huge majority originated from the UK at 40,000 hits, followed by China and North Korea making up the majority of the remainder,” Povolny said.
“What this highlights is an active campaign of world-wide scanning across the IPv4 space, looking for Internet-accessible routers that respond to the backdoor probe,” Povolny said. “Given the length of this campaign and the sheer volume, not to mention the ease of exploitation, it’s very likely that a large number of these routers are being compromised and used for nefarious purposes such as man-in-the middle attacks.”
Netis released a patch for the backdoor, but flaws in implementation and the fact the backdoor code itself has not been removed leave devices still vulnerable.