Mass-Scale Abuse of poorly configured SOHO Routers

Pierluigi Paganini May 13, 2015

Several dozen Imperva Incapsula customers were targeted by a DDoS botnet comprised of tens of thousands of hijacked SOHO routers.

Security experts at Incapsula firm spotted a DDoS botnet composed of tens of thousands of malware-infected Small Office / Home Office SOHO routers engaged in application layer HTTP flood attacks.

The SOHO routers were infected with a strain of the Spike Linux Trojan (Trojan.Linux.Spike.A) and MrBlack, which is a Linux agent spotted for the first time by researchers at Dr.Web in May 2014.

The attackers leveraged remotely accessibility to the SOHO routers via HTTP and SSH on their default ports in order to compromise the network devices. As explained in the report published by Incapsula, the SOHO routers were poorly configured, attackers used default credentials (e.g. admin/admin) in order to access them and injected the malicious code. The malware was also able to propagate itself by scanning the network in order to locate and infect other routers.

According to the researchers, the hijacked SOHO routers  are ARM-based devices from wireless networking product manufacturer Ubiquiti Networks.

The experts at Incapsula analyzed a total of 13,000 malware samples found on the infected SOHO routers, on average each device were infected by at least four variants of the Spike malware and also by other DDoS malware, such as BillGates, Dofloo and Mayday.

The firm discovered a series of attacks against its customers in late December 2014, in a 121-day period the researchers tracked the malicious architecture used by cyber criminals.

The IPs of 60 command and control (C&C) servers were identified and the researchers recorded malicious traffic originated from more than 40,000 IP addresses belonging to nearly 1,600 ISPs worldwide across 109 countries.

It is interesting to note that more than 85 percent of the infected SOHO routers are located in Thailand and Brazil.

“More than 85 percent of all compromised routers are located in Thailand and Brazil, while the majority of the C2s are located in the US (21%) and China (73%). Overall, we’ve documented attack traffic from 109 countries around the world.” states the report.

SOHO routers botnet

Who operated the botnet?

According to Incapsula, the compromised SOHO routers are being exploited by several threat actors, including the popular Anonymous collective.

Incapsula speculated that hundreds of thousands or even millions of SOHO routers have been compromised due to a poor configuration.

Pierluigi Paganini

(Security Affairs –  Soho Routers, hacking)



you might also like

leave a comment