Millions of home and small office routers hijacked for DDoS attacks

Large numbers of small office/home office (SOHO) routers are now under the control of hackers, said researchers at cybersecurity firm Incapsula. According to the firm, lax security practices has resulted in hundreds of thousands—more likely millions—of routers being hijacked. “The DDoS campaign in question amounts to a series of application layer HTTP flood attacks launched against 60 Incapsula-protected domains, which share no common relation,” the firm said in its blog post. “We first encountered these attacks on December 30, 2014 and have been mitigating them ever since. In the last 30 days, after a short-lived lull, we saw them escalate to a new height, with double the number of attacking IPs.” [caption id=“attachment_2011331” align=“alignleft” width=“380”]  Representational image. Reuters[/caption] Incapsula’s analysis revealed that this wave of attacks is a part of a much larger DDoS assault targeting hundreds of other domains outside of its network, and includes other attack vectors—including network layer barrages. What makes this specific DDoS campaign stand out, according to the security firm, is the botnet from which it’s being launched, one consisting of a large number of SOHO routers, predominantly ARM-based Ubiquiti devices. Researchers at Incapsula found that all units are remotely accessible via HTTP and SSH on their default ports. On top of that, nearly all are configured with vendor-provided default login credentials. This combination invites trouble. At the risk of overstating the obvious, this level of access lets any perpetrator easily: eavesdrop on all communication; perform man-in-the-middle (MITM) attacks; hijack cookies; and gain access to local network devices (e.g., CCTV cameras). Also, all these exposed routers were injected with variants of MrBlack malware (a.k.a. Trojan.Linux.Spike.A), whose signatures have been identified while mitigating the attack, the researchers claimed. “After inspecting a sample of 13,000 malware files, we saw that on average, each compromised router held four variants of MrBlack malware, as well as additional malware files, including Dofloo and Mayday, which are also used for DDoS attacks.” Between December 30, 2014 and April 19, 2015, Incapsula recorded attack traffic from 40,269 IPs belonging to 1600 ISPs worldwide. More than 85 percent of all compromised routers are located in Thailand and Brazil, followed by US (4%) and India (3%), while the majority of the C2s are located in the US (21%) and China (73%). Based on the profile of targets and the attack patterns, the company said these compromised routers are being exploited by several groups or individuals. Incapsula advises all router owners to change the default login credentials, if they haven’t done so already. “Finally, if you believe your router(s) is already compromised, upgrade your router’s firmware to the latest version provided by the manufacturer.”