Router Hacks Whos Responsible

The news that an army of 40,000 small office/home office, or SOHO, routers have been exploited by an Internet-borne worm and used to launch distributed denial-of-service attacks appears to point to networking vendors` culpability. That`s because the devices ship with default credentials, which attackers have been able to exploit en masse.

Security researchers say they do not know who is responsible for launching the attacks. But in a sign of how difficult it is to keep so-called `Internet of Things` devices secure, one of the network device manufacturers whose products have been targeted says it only sells its devices to consultants and integrators, and that they should know how to secure the devices before rolling them out at customers` sites.

News of the router botnet comes via the report `Lax Security Opens the Door for Mass-Scale Abuse of SOHO Routers,` released by Incapsula, a DDoS defense firm owned by information security vendor Imperva. It warns that attackers, using variants of MrBlack - a.k.a. Spike malware - have created `self-sustaining botnets` that have automatically infected and seized control of tens of thousands of routers, thanks to the devices using well-known default credentials. The vast majority of these malware-infected, devices, it adds, are located in Thailand and Brazil.

`After inspecting a sample of 13,000 malware files, we saw that on average, each compromised router held four variants of MrBlack malware, as well as additional malware files, including Dofloo and Mayday, which are also used for DDoS attacks,` Incapsula`s report says. It says that while routers and other network-connected devices from a number of vendors have been compromised.
The majority involve devices based on ARM processors built by San Jose, Calif.-based Ubiquiti Networks. `Faced with this homogenous botnet, our security investigators` initial assumption was that the routers were compromised by a shared firmware vulnerability,` Incapsula researchers write in their report. `However, further inspection revealed that all units are remotely accessible via HTTP and SSH on their default ports. On top of that, nearly all are configured with vendor-provided default login credentials.`

To date, it`s not clear who is behind this router takeover campaign. Incapsula notes that the timing of spikes in attacks appears to parallel the hacking group Lizard Squad announcing new, related capabilities in its `Lizard Stresser` DDoS-on-demand service. But it says that there is `no hard evidence` of the group`s involvement, and says it`s just as likely that this router-takeover campaign is the work of a competing or copycat DDoS-as-a-service provider.

Read original article