The first vulnerability was tested successfully against a TP-Link TD-8840T router running firmware version 3.0.0 build 120531 that was one of the first victim devices identified in the attack campaign, the researchers said. The second vulnerability reportedly affects TP-Link WR1043ND, TL-MR3020 and TL-WDR3600 running various firmware versions, but other models might also be affected.
TP-Link has released firmware patches for some of the affected models, but users rarely update their home routers and other networking devices.
The mass compromise identified by Team Cymru bears some resemblance to another attack campaign reported in early February that altered the DNS settings of home routers in Poland to intercept online banking sessions. That attack is also believed to have exploited the ZynOS vulnerability, but Team Cymru believes it's separate from the larger attack campaign they identified.
In the Polish attack, hackers used different rogue DNS servers, targeted a small pool of users in a more concentrated geographic area and specifically focused on intercepting connections to Polish banking sites.
"In contrast, the attackers setting devices to the IPs 184.108.40.206 and 220.127.116.11 had compromised a very large pool of devices, and controlled large blocks of devices within specific ISPs, where the homogeneity of SOHO [small office/home office] router models, configurations and firmware versions likely allowed the attack to scale easily," the Team Cymru researchers said.
The majority of routers compromised in the attack campaign identified by Team Cymru were located in Vietnam (around 160,000 IP addresses), but overall the campaign had a global distribution. Aside from Vietnam, the top 10 countries by victim count were India, Italy, Thailand, Colombia, Bosnia and Herzegovina, Turkey, Ukraine, Serbia and Ecuador. The U.S. was 11th.
"The scale of this attack suggests a more traditional criminal intent, such as search result redirection, replacing advertisements, or installing drive-by downloads; all activities that need to be done on a large scale for profitability," the researchers said. "The more manually intensive bank account transfers seen in Poland would be difficult to conduct against such a large and geographically-disparate victim group."
The researchers also observed that the two DNS servers used by the attackers responded intermittently to requests, meaning that victims likely experienced Internet connection issues. DNS is a critical service that's used to translate domain names into numerical IP addresses. Without this functionality a computer would not be able to access any website using its domain name.
By controlling DNS resolution attackers can transparently redirect users to servers under their control when those users try to access legitimate websites and this enables a variety of attacks from traffic snooping to hijacking search queries and injecting exploits, advertisements, and other rogue content into traffic.
Sign up for Computerworld eNewsletters.