Security firm Proofpoint has discovered a new ‘pharming’ attack on home broadband routers that looks different to the sort of incidents Techworld has covered in recent times.
About a year ago Team Cymru reported on a DNS redirection attack affecting 300,000 routers from vendors including D-Link, TP-Link, Micronet and Tenda, not long after researchers at the SANS Institute's Internet Storm Center (ISC) issued a warning about a worm targeting Linksys routers.
Those are only two examples from a back catalogue stretching back three years or more, and the root causes are no mystery – routers have weakly-coded software full of security problems that are never patched by owners or, scandalously, equipment makers. Compounding this, many aren’t properly secured out of the box, leaving remote management interfaces and default passwords in a vulnerable state.
In this company, the attack uncovered by Proofpoint looks pretty minor. In the course of monitoring the issue between December and mid-January 2015, the firm detected a tiny campaign targeting perhaps 100 users working for organisations, mostly in Brazil, using one of two routers types common in that country from TP-Link and UTStarcom.
Router pharming attacks with scale in this country are nothing new but it is precisely that miniscule size that makes this attack stand out – who attacks 100 users?
The attack began with phishing emails spoofing Brazil’s largest telco which uses booby-trapped web pages to launch an attack on the router using default password brute-forcing and known cross-site request forgery (CSRF) flaws. If successful, a malicious DNS server is set to resolve all web traffic and, in theory, the control would allow attackers to man-in-the-middle any traffic travelling through the device.
Proofpoint prefers to see this as an example of a clever proof-of-concept, put another way how easy it is to use phishing emails to attack routers, not normally the target of such expeditions. But the fact it has been tried on such a select group of people tends to suggest that this is some kind of targeted attack on specific individuals.
Cleverly, this kind of variation of the router pharming attack would be almost impossible to detect using security software on the PC, which is used merely as a jumping-off point. It would also be difficult to stop with the sorts of defences put up to keep infrastructure secure.
If a concept is being proved here it’s that targeted attacks are possible on this class of device as long as they have exploitable flaws (that’s most products in fact) and use either the default password or an insecure one (a sizable minority of users).
Dout that routers are really that full of software flaws? Read Tripwire's study from last year that spotted numerous sisues on a range of best-selling home router products sold on Amazon.