- May 7, 2016
- 1,287
Households and small businesses that use consumer-grade internet routers may fall victim to attacks that are presently targeting mainly Brazilian users, but may be easily localized to any other country.
These attacks have been around since 2012, but the risks they carry are rising sharply as the number of devices connected via routers to the internet skyrockets (according to Cisco there will be 3.4 devices connected to IP networks per capita by 2020). Therefore, we are closely monitoring these attacks in order to keep pace with recent developments in the attackers’ techniques.
It seems likely that there are different groups conducting these attacks as both the methodology and the scripts used vary. The basics, however, remain the same: they leverage either open access to routers due to weak authentication (mostly default username/password combination) or vulnerabilities in their firmware.
The main objectives of these attacks are to change the DNS configuration, allow remote management access with public IP and to set a predefined (many times the default) password for potential easy access for the perpetrators at a later time.
How the attacks work
The attacks we’ve observed were the result of redirection from a malicious page or advertising network to the perpetrators’ landing page hosting a malicious script.
The script then tries predefined username
assword combinations at default local addresses for particular router types along with the desired commands to execute.
The affected users are mostly running Firefox, Chrome or Opera browsers. Internet Explorer seems to be safe mainly due to the fact that it does not support the usernameassword@server notation (https://support.microsoft.com/en-us/kb/834489).
Read More:Cybercriminals target Brazilian routers with default credentials
These attacks have been around since 2012, but the risks they carry are rising sharply as the number of devices connected via routers to the internet skyrockets (according to Cisco there will be 3.4 devices connected to IP networks per capita by 2020). Therefore, we are closely monitoring these attacks in order to keep pace with recent developments in the attackers’ techniques.
It seems likely that there are different groups conducting these attacks as both the methodology and the scripts used vary. The basics, however, remain the same: they leverage either open access to routers due to weak authentication (mostly default username/password combination) or vulnerabilities in their firmware.
The main objectives of these attacks are to change the DNS configuration, allow remote management access with public IP and to set a predefined (many times the default) password for potential easy access for the perpetrators at a later time.
How the attacks work
The attacks we’ve observed were the result of redirection from a malicious page or advertising network to the perpetrators’ landing page hosting a malicious script.
The script then tries predefined username
assword combinations at default local addresses for particular router types along with the desired commands to execute.The affected users are mostly running Firefox, Chrome or Opera browsers. Internet Explorer seems to be safe mainly due to the fact that it does not support the username
assword@server notation (https://support.microsoft.com/en-us/kb/834489).Read More:Cybercriminals target Brazilian routers with default credentials
