Lax Security Opens the Door for Mass-Scale Hijacking of SOHO Routers

Lately, Small Office / Home Office (SOHO) router security has become a hot topic. For those unfamiliar, the situation can best be described as inexplicably negligent, with ISPs, vendors, and users sharing a long tradition of disregarding basic security practices. The result of this collaborative negligence is the existence of hundreds of thousandsmore likely millionsof hacker-controlled routers used to terrorize the Internet ecosystem, not to mention interconnected networks.Several dozen Imperva Incapsula customers were recently targeted by one such DDoS botnet comprising tens of thousands of hijacked routers. After informing all parties involved, we are sharing attack details in an attempt to raise awareness about the dangers posed by under-secured, connected devices. The attacks we will describe are enabled by what we perceive as particularly reckless security practices. Despite our best efforts, many of these botnet devices remain active, continuing to play a role in attack attempts against our clients and other websiteseven as this is being written.Attack DescriptionThe DDoS campaign in question amounts to a series of application layer HTTP flood attacks launched against 60 Incapsula-protected domains, which share no common relation. We first encountered these attacks on December 29, 2014 and were mitigating them ever since. In the last 30 days, after a short-lived calm, we saw the assault escalate to a new height, with double the number of attacking IPs.

Figure 1: History of DDoS attacks from routers infected with MrBlack malware

This escalation piqued our interest, prompting further investigation by the Incapsula security team. Our analysis revealed that this wave of attacks is a part of a much larger DDoS assault targeting hundreds of other domains outside of the Incapsula network, and includes other attack vectorsincluding network layer barrages.Botnet ProfileWhat makes this specific DDoS campaign stand out is the botnet from which its being launched, one consisting of a large number of SOHO routers, predominantly ARM-based Ubiquiti devices. Faced with this homogenous botnet, our security investigators initial assumption was that the routers were compromised by a shared firmware vulnerability. However, further inspection revealed that all units are remotely accessible via HTTP and SSH on their default ports. On top of that, nearly all are configured with vendor-provided default login credentials.

Figure 2: By punching in its IP address anybody can remotely access this Ubiquiti router This combination of faulty practices invites trouble. At the risk of overstating the obvious, this level of access lets any perpetrator easily: eavesdrop on all communication. perform man-in-the-middle (MITM) attacks (e.g., DNS poisoning). hijack cookies. gain access to local network devices (e.g., CCTV cameras).Setting aside the exploitation discussion, we can unequivocally state that all these exposed routers were injected with variants of Mr.Black malware (a.k.a. Trojan.Linux.Spike.A), whose signatures weve identified while mitigating the attack. Figure 3: Incoming DDoS traffic from a compromised routerAfter inspecting a sample of 13,000 malware files, we saw that on average, each compromised router held four variants of MrBlack malware, as well as additional malware files, including Dofloo and Mayday, which are also used for DDoS attacks. MalwareType Variants ObservedCommonness

MrBlackDDoS tool13786.57%

DoflooDDoS tool195.48%

MaydayDDoS tool242.84%

BillGatesDDoS tool52.30%

SkynetBackdoor51.46%

Unknown/NewDDoS Bot21.35%

Botnet Geo-locations and C2 DataDuring the 121-day period Incapsula recorded attack traffic from 40,269 IPs belonging to 1600 ISPs worldwide. We were also able to trace the IP addresses of 60 command and control systems used by perpetrators to remotely direct malicious traffic. More than 85 percent of all compromised routers are located in Thailand and Brazil, while the majority of the C2s are located in the US (21%) and China (73%). Overall, weve documented attack traffic from 109 countries around the world.

Figure 4: Top attacking countries, by number of IPsBased on the profile of targets and the attack patterns, we know these compromised routers are being exploited by several groups or individuals. For instance, our analysis also shows that several of these malware variants are reporting to AnonOps IRC channel, indicating that Anonymous is one of the groups responsible for exploiting these under-protected devices.

Figure 4: Malware on a hijacked router reporting to AnonOps IRC channel Given how easy it is to hijack these devices, we expect to see them being exploited by additional perpetrators. Even as we conducted our research, the Incapsula security team documented numerous new malware types being addedeach compounding the threat posed by the existence of these botnet devices.

Figure 5: Attack heat map: Botnet and C2 geo-locationsSelf-sustaining BotnetsOur analysis reveals that miscreants are using their botnet resources to scan for additional misconfigured routers to add to their flock. They do so by executing shell scripts, searching for devices having open SSH ports which can be accessed using default credentials.

Figure 6: Scanning script used to identify remotely accessible routersFacilitating the infiltration, all of these under-secured routers are clustered a in the IP neighborhoods of specific ISPs, that provide them in bulk to end-users. For perpetrators, this is like shooting fish in a barrel, which makes each of the scans that much more effective. Using this botnet also enables perpetrators to execute distributed scans, improving their chances against commonplace blacklisting, rate-limiting and reputation-based defense mechanisms.Copycats or Lizard Stresser v2? Those who follow the escapades of Lizard Squad have probably noticed that the above-described botnet shares several similarities with Lizard Stresserthe groups DDoS-for-hire service. Specifically, Lizard Squads botnet was also reportedly build on an infrastructure of under-secured routers that were likewise injected with malicious code, used to scan for other similarly vulnerable devices. Despite several outward similarities, however, the two botnets dont appear to be one and the same.Most tellingly, the malware types observed in both cases are different. While Lizard Squad was known to use Linux.BackDoor.Fgt.1 to control their router-based botnet, the hijacked routers that we observed were mostly infected with Spike malware.Still, looking at the historical attack data, we continue to find some interesting parallels between the attacks on our client and what has been reported about Lizard Squads shenanigans.

In both cases we observe similar peaks and valleys of activity. Notably, the assault on our clients started on December 30, nearly at the same exact time that Lizard Stresser was first announced. From there, after observing high frequency of attacks in January 2015, we saw the assault flat line in February, a week or so after Lizard Squads website was brought down by Anonymous. Finally, we saw attacks become more frequent in early April, with the largest of the bunch occurring days before Lizard Squad remerged on Twitter with a promise of a new, and more powerful, botnet.

It should be pointed out that none of these circumstantial correlations offer any hard evidence of the groups involvement. If anything, they present us with several open questions about the possible evolution of Lizard Squads botnet resources and the existence of copycats that are following in the groups footsteps.

With this in mind, we ask all security researchers with any additional information about the perpetrators that are attacking on our clients, to reach us at info@incapsula.com. Taking ActionPrior to publishing this report, Incapsula contacted the router vendor, and ISPs whose networks we found to be most open to abuse. Revisiting the notion of shared responsibility, we strongly urge router owners to disable all remote (WAN) access to their router management interfaces. To verify that your own router is not open to remote access, you can use this tool from YouGetSignal to scan the following ports: SSH (22), Telnet (23) and HTTP/HTTPS (80/443). Regardless of the result, we also strongly advise all router owners to change the default login credentials, if they havent done so already. You can download these user guides to learn how to do so on Ubiquity routers.Finally, if you believe your router(s) is already compromised, upgrade your routers firmware to a latest version provided by the manufacturer. If youve never done this before, we suggest reading this post, from the Super User community blog, about Router Flashing for mere Humans.

7