A group of attackers managed to compromise 300,000 home and small-office wireless routers, altering their settings to use rogue DNS servers, according to Internet security research organization Team Cymru.
In January, Team Cymru's researchers identified two TP-Link wireless routers whose settings were altered to send DNS (Domain Name System) requests to two particular IP addresses: 220.127.116.11 and 18.104.22.168. An analysis of the rogue DNS servers running at those IP addresses revealed a mass-scale compromise of consumer networking devices.
Over a one-week period, more than 300,000 unique IP addresses sent DNS requests to the two servers, the Team Cymru researchers said in a report released Monday. Many of those IP addresses corresponded to a range of routers, including models from D-Link, Micronet, Tenda, TP-Link and other manufacturers, that had their DNS settings maliciously altered, they said.
The researchers believe those devices were compromised using different techniques that exploit several known vulnerabilities. Many of the affected devices had their administrative interfaces accessible from the Internet, making them susceptible to brute-force password-guessing attacks or unauthorized access using default credentials, if their owners didn't change them, the researchers said.
A considerable number of devices also appeared to be vulnerable to a security flaw reported in January in ZynOS, a router firmware created by ZyXEL Communications that's also used on router models from other manufacturers. That vulnerability allows attackers to remotely download a file containing the configuration of vulnerable routers without authentication and parse it to extract the password for the router's administrative interface.
According to the Team Cymru researchers, it's also likely that attackers used cross-site request forgery (CSRF) to exploit vulnerabilities in TP-Link routers that have been known since last year.
CSRF attacks involve placing malicious code on a website to force visitors' browsers to send specially crafted requests to a third-party URL. If the users are authenticated on the third-party site and the site has no CSRF protection, the malicious requests can abuse the users' access on that site to perform unauthorized actions. This type of attack is also known as session riding.
Attackers can use CSRF techniques to attack routers when their administration interfaces are only accessible from the local area network by proxying requests through their owners' browsers and leveraging their authenticated sessions.
The Team Cymru researchers noted two vulnerabilities reported in various TP-Link router models last year that are known to have been targeted through CSRF attacks. One allows attackers to replace the administrator password with a blank one and the other allows changing the router's DNS settings, even if the rogue request contains bogus credentials.
Sign up for Computerworld eNewsletters.