At least 300,000 confirmed small office/home office (SOHO) routers suffered a compromise and their DNS settings changed to use two IP addresses in London, which allowed attackers to perform Man-in-the-Middle (MitM) attacks.
“To date, we have identified over 300,000 devices, predominantly in Europe and Asia, which we believe have been compromised as part of this campaign, one which dates back to at least mid-December of 2013,” said Team Cymru researchers, who spotted several affected TP-Link WiFi routers in January and began investigating the matter.
“The routers were both small office/home office (SOHO) class devices that provided WiFi connectivity, local DNS, and DHCP services to customers, and were not using default passwords,” they said.
But some of them were running a firmware version vulnerable to Cross-Site Request Forgery attacks, and at least one run firmware with a flaw allowing attackers to download the device’s configuration file which contains administrative credentials.
The affected routers come from different manufacturers like TP-Link, D-Link, Micronet, and they are predominantly located in Vietnam, India, Italy, Thailand, and Colombia, but also in Serbia, Ukraine, and Bosnia and Herzegovina.
In one interesting twist, it appears the DNS requests sent to those two IP addresses end up forwarded on to legitimate servers.
“Attempts to log into local banking websites in affected countries, and to download software updates from Adobe and others all appeared to function normally, though many requests resolved noticeably slowly or failed to complete. Websites we tested also appeared to display normal advertising using these DNS servers,” the researchers said.
Team Cymru researchers have noticed some similarities between this campaign and one other that was mostly limited to targeting customers of several Polish banks, but they concluded that “subtle differences in the tradecraft employed makes it likely that [they] are observing either separate campaigns by the same group, or multiple actors utilizing the same technique for different purposes.”
They also added that they don’t believe the just discovered Moon worm campaign targeting Linksys routers is from the same attackers.
The researchers notified the authorities about this campaign, and also the manufacturers of the affected devices.
Team Cymru spokesman Steve Santorelli shared with PC Pro the two IP addresses to which the DNS requests redirected are on machines in the Netherlands, but registered with UK-based company 3NT Solutions. This company’s IP ranges have previously and repeatedly been associated with spam sites.
The researchers have shared helpful techniques for mitigating this type of attack in a whitepaper.
“As the bar is increasingly raised for compromising endpoint workstations, cyber criminals are turning to new methods to achieve their desired goals, without gaining access to victims’ machines directly. The campaign detailed in this report is the latest in a growing trend Team Cymru has observed of cyber criminals targeting SOHO routers,” they said.