A!Team!Cymru!EIS!Report:!Growing!Exploitation!of!Small! OfCice!Routers!Creating!Serious!Risks!



Similar documents
Analysis One Code Desc. Transaction Amount. Fiscal Period

AT&T Global Network Client for Windows Product Support Matrix January 29, 2015

COMPARISON OF FIXED & VARIABLE RATES (25 YEARS) CHARTERED BANK ADMINISTERED INTEREST RATES - PRIME BUSINESS*

COMPARISON OF FIXED & VARIABLE RATES (25 YEARS) CHARTERED BANK ADMINISTERED INTEREST RATES - PRIME BUSINESS*

Case 2:08-cv ABC-E Document 1-4 Filed 04/15/2008 Page 1 of 138. Exhibit 8

Enhanced Vessel Traffic Management System Booking Slots Available and Vessels Booked per Day From 12-JAN-2016 To 30-JUN-2017

CENTERPOINT ENERGY TEXARKANA SERVICE AREA GAS SUPPLY RATE (GSR) JULY Small Commercial Service (SCS-1) GSR

Ashley Institute of Training Schedule of VET Tuition Fees 2015

Consumer ID Theft Total Costs

CHILDREN AND YOUNG PEOPLE'S PLAN: PLANNING AND PERFORMANCE MANAGEMENT STRATEGY

CAFIS REPORT

ROYAL REHAB COLLEGE AND THE ENTOURAGE EDUCATION GROUP. UPDATED SCHEDULE OF VET UNITS OF STUDY AND VET TUITION FEES Course Aug 1/2015

Choosing a Cell Phone Plan-Verizon

Breen Elementary School

Computing & Telecommunications Services Monthly Report March 2015

BCOE Payroll Calendar. Monday Tuesday Wednesday Thursday Friday Jun Jul Full Force Calc

Deep Security/Intrusion Defense Firewall - IDS/IPS Coverage Statistics and Comparison

Deep Security Intrusion Detection & Prevention (IDS/IPS) Coverage Statistics and Comparison

Detailed guidance for employers

P/T 2B: 2 nd Half of Term (8 weeks) Start: 25-AUG-2014 End: 19-OCT-2014 Start: 20-OCT-2014 End: 14-DEC-2014

P/T 2B: 2 nd Half of Term (8 weeks) Start: 26-AUG-2013 End: 20-OCT-2013 Start: 21-OCT-2013 End: 15-DEC-2013

LAUREA MAGISTRALE - CURRICULUM IN INTERNATIONAL MANAGEMENT, LEGISLATION AND SOCIETY. 1st TERM (14 SEPT - 27 NOV)

P/T 2B: 2 nd Half of Term (8 weeks) Start: 24-AUG-2015 End: 18-OCT-2015 Start: 19-OCT-2015 End: 13-DEC-2015

Accident & Emergency Department Clinical Quality Indicators

Academic Calendar Arkansas State University - Jonesboro

2016 Examina on dates

Academic Calendars. Term I (20081) Term II (20082) Term III (20083) Weekend College. International Student Admission Deadlines

2015 Examination dates

Legislative Brief: PAY OR PLAY PENALTIES LOOK BACK MEASUREMENT METHOD EXAMPLES. EmPowerHR

Supervisor Instructions for Approving Web Time Entry

Dragonfly: Energy Companies Under Sabotage Threat Symantec Security Response

Trimble Navigation Limited (NasdaqGS:TRMB) > Public Ownership > Officials' Trading

NASDAQ DUBAI TRADING AND SETTLEMENT CALENDAR On US Federal Reserve Holidays, no settlements will take place for USD.

Important Dates Calendar FALL

Proposal to Reduce Opening Hours at the Revenues & Benefits Coventry Call Centre

oct 03 / 2013 nov 12 / oct 05 / oct 07 / oct 21 / oct 24 / nov 07 / 2013 nov 14 / 2013.

Employers Compliance with the Health Insurance Act Annual Report 2015

Department of Public Welfare (DPW)

1. Introduction. 2. User Instructions. 2.1 Set-up

Multilateral and Regional Insitutions Risk Classifications of the Participants to the Arrangement on Officially Supported Export Credits

There e really is No Place Like Rome to experience great Opera! Tel: to discuss your break to the Eternal City!

Newfoundland and Labrador Hydro Electricity Rates

ACCESS Nursing Programs Session 1 Center Valley Campus Only 8 Weeks Academic Calendar 8 Weeks

ACCESS Nursing Programs Session 1 Center Valley Campus Only 8 Weeks Academic Calendar 8 Weeks

Marsha Ingram, Head of Corporate Affairs

FY 2015 Schedule at a Glance

UPCOMING PROGRAMMES/COURSES APRIL, 2014 MARCH, 2015 (MIND KINGSTON & MANDEVILLE CAMPUSES)

MONTHLY REMINDERS FOR 2013

Media Planning. Marketing Communications 2002

2015 Ohio MemberSource Newsletter Targeted Production Schedule (Laura Huff/Courtney Stewart)

COURSE INFORMATION TRAINING COSTS. OHS Timetable 2-Day Class Format

Independent Accountants Report on Applying Agreed-Upon Procedures

Human Resources Management System Pay Entry Calendar

The Impact of Medicare Part D on the Percent Gross Margin Earned by Texas Independent Pharmacies for Dual Eligible Beneficiary Claims

Schedule of VET FEE-HELP Tuition Fees & Census Dates

Insurance and Banking Subcommittee

School Improvement Plan Template for Advanc ED Goals Management

Interest Rates. Countrywide Building Society. Savings Growth Data Sheet. Gross (% per annum)

End of Life Content Report November Produced By The NHS Choices Reporting Team

DCF - CJTS WC Claim Count ACCT DCF CJTS - Restraints InjuryLocation (All)

South Dakota Board of Regents. Web Time Entry. Student. Training Manual & User s Guide

Comparing share-price performance of a stock

ACCOUNT TAKEOVER TO IDENTITY TAKEOVER

NATIONAL CREDIT UNION SHARE INSURANCE FUND

2015 Settlement Calendar for ASX Cash Market Products ¹ Published by ASX Settlement Pty Limited A.B.N

Oxfam GB Digital Case Study -

How Can Fleets Control Mounting Fuel Costs? Effective fuel management requires purchase controls and driver behavior modification.

Impacts of Government Jobs in Lake County Oregon

Figure 24 Georgia s Children a Major Focus of Human Services. $20 M Georgia Vocational Rehab Agency $1.5 M Office of Residential Child Care

PROJECTS SCHEDULING AND COST CONTROLS

Health Insurance Exchange Finance Work Group Meeting August 22, 2012 Wakely Consulting Model Table Summaries - Updated

Sage ERP MAS 90, 200, 200 SQL, and Sage ERP MAS 500. Supported Versions

Easter Seals Central Texas Programs Outcome Profiles Monthly and Year to Date FY % 87% 80% 80% 84% 84% 83%

Resource Management Spreadsheet Capabilities. Stuart Dixon Resource Manager

Business Plan Example. 31 July 2020

Climatography of the United States No

Start Your. Business Business Plan

OPERATIONS SERVICE UPDATE

Centers of Academic Excellence in Cyber Security (CAE-C) Knowledge Units Review

Saving for your. child s future

Climatography of the United States No

Items/Tasks required to be completed for Financial Services Division (FSD)

Sept Sept 2015 To book call or visit bpp.com/aat. Online Classroom Live (OCR Live)

Castellon, of January Copyright Grupo Europeo de Consultoría LocalEurope. Reservados todos los derechos.

Architectural Services Data Summary March 2011

Financial Operating Procedure: Budget Monitoring

PTC Creo 2.0 Hardware Support Dell

Performance Measures. First Quarter 2012

GOVERNING BODY MEETING held in public 29 July 2015 Agenda Item 4.4

PHISHING IN SEASON TAX TIME MALWARE, PHISHING AND FRAUD

Ways We Use Integers. Negative Numbers in Bar Graphs

Deep Security Vulnerability Protection Summary

BURS notice: Non-acceptance of cheques

University-Wide Academic Calendar

Transcription:

ATeamCymruEISReport:GrowingExploitationofSmall OfCiceRoutersCreatingSeriousRisks PoweredbyTeamCymru sthreatintelligencegroup Page 1of 14www.team-cymru.com www.team-cymru.com

Threat'Intelligence'Group EXECUTIVE SUMMARY Page2of14www.team-cymru.com

Summary' Thisreportdetailsourrecentanalysisofawidespreadcompromiseofconsumer-grade smallofcice/homeofcice(soho)routers.attackersarealteringthednsconcigurationon thesedevicesinordertoredirectvictimsdnsrequestsandsubsequentlyreplacethe intendedanswerswithipaddressesanddomainscontrolledbytheattackers,effectively conductingaman-in-the-middleattack. Asthebarisincreasinglyraisedforcompromisingendpointworkstations,cybercriminals areturningtonewmethodstoachievetheirdesiredgoals,withoutgainingaccessto victims machinesdirectly.thecampaigndetailedinthisreportisthelatestinagrowing trendteamcymruhasobservedofcybercriminalstargetingsohorouters. InJanuary2014,TeamCymru senterpriseintelligenceservicesbeganinvestigating asohopharmingcampaignthathadoverwrittenrouterdnssettingsincentral Europe.Todate,wehaveidentiCiedover300,000devices,predominantlyinEurope andasia,whichwebelievehavebeencompromisedaspartofthiscampaign,one whichdatesbacktoatleastmid-decemberof2013. AffecteddeviceshadtheirDNSsettingschangedtousetheIPaddresses5.45.75.11 and5.45.75.36.ouranalysisindicatedthatalargemajorityofaffectedrouters residedinvietnam.othertopcountriesaffectedincludedindia,italyandthailand. Analysisofthevictimdevicesaffectedrevealedthatthecompromiseisnotlimitedto asinglemanufacturer.arangeofroutermodelsfromseveralmanufacturersappears tobecompromised.aswiththednschangermalware,unwittingvictimsare vulnerabletoalossofserviceifthemaliciousserversaretakendown,asboth primaryandsecondarydnsipaddressesareoverwritten,complicatingmitigation. Theaffecteddevicesweobservedwerevulnerabletomultipleexploittechniques, includingarecentlydisclosedauthenticationbypassvulnerabilityinzyxel CirmwareandCross-SiteRequestForgery(CSRF)techniquessimilartothose reportedinlate2013. 1 Thislarge-scaleattackhassimilaritieswitharecent,highlytargetedattackagainst Polishconsumerbankcustomers,thoughsubtledifferencesintradecraftpointto thesebeingseparatecampaigns. 2Wealsobelievethatthisactivityisseparatefrom thelinksysmoonwormrecentlyreportedbythesansinstitute. 3 WeassessthatconsumerunfamiliaritywithconCiguringthesedevices,aswellas frequentlyinsecuredefaultsettings,backdoorsincirmware,andcommodity-level 1 Seehttp://www.jakoblell.com/blog/2013/10/30/real-world-csrf-attack-hijacks-dns-server-configuration-of-tplink-routers-2/ and http://rootatnasro.wordpress.com/2014/01/11/how-i-saved-your-a-from-the-zynos-rom-0-attackfull-disclosure 2 http://niebezpiecznik.pl/post/stracil-16-000-pln-bo-mial-dziurawy-router-prawie-12-miliona-polakow-moze-bycpodatnych-na-ten-atak/ 3 https://isc.sans.edu/diary/linksys+worm+%22themoon%22+summary%3a+what+we+know+so+far/17633 Page 3of 14www.team-cymru.com

engineeringstandardsmakesoho-typewirelessroutersaveryattractivetargetfor cybercriminals.' Manycybercrimeparticipantshavebecomeusedtopurchasingbots,exploit servers,andotherinfrastructureasmanagedservicesfromothercriminals.we expectthatthesemarketforceswilldriveadvancesintheexploitationofembedded systemsastheyhavedonefortheexploitationofpcs. WehaveintegratedvictimIPaddressesandotherdatarelatedtoSOHOpharming attacksintoourno-costcommunitytoolsfornetworkproviders,aswellasour commercialthreatintelligencefeeds.formoredetails,visithttps://www.teamcymru.org/services/ Affected'router'distribution'heatmap'visualization Page 4of 14www.team-cymru.com

Threat'Intelligence'Group ANALYSIS Page5of14www.team-cymru.com

Analysis Observed'in'the'Wild' InJanuary2014,theEnterpriseIntelligenceServicesteamatTeamCymrubecameawareof severaltp-linkwi-firoutersthathadtheirdnssettingsmaliciouslyalteredtosenddns requeststotwonewipaddresses: 5.45.75.11 5.45.75.36 TherouterswerebothsmallofCice/homeofCice(SOHO)classdevicesthatprovidedWi-Fi connectivity,localdns,anddhcpservicestocustomers,andwerenotusingdefault passwords. Figure'1.'Three'phases'of'SOHO'router'DNS'exploitation'via'CSRF'vulnerability.' However,thesedeviceswererunningaCirmwareversionvulnerabletotheCross-Site RequestForgery(CSRF)techniqueillustratedinFigure1.Additionally,atleastoneofthese Page 6of 14www.team-cymru.com

modelswasrunningaversionofzyxelzynoscirmwarerecentlyexposedashavinga seriousclawthatallowsattackerstodownloadthesavedconcigurationcile,andthusthe administrativecredentials,fromanunauthenticatedurlinthewebinterface. 4 AnalysisofthesemaliciousDNSserversrevealedawiderangeofcompromiseddevices, includingmodelsfromd-link,micronet,tenda,tp-link,andothers.wehavemadeefforts tocontactthesemanufacturers,andwelookforwardtocooperatingwiththemgoing forward.victimrouterswereobservedglobally,withthelargestinfectionsinvietnam,italy, Thailand,Indonesia,Colombia,Turkey,Ukraine,BosniaandHerzegovina,andSerbia. Thescaleofthiscampaignisquitelarge.Figure2showsthedistributionofvictimsby countryoveraone-weekperiod.over300,000uniqueipaddressesattempteddns requeststothetwoservers.thetwoserversinvolvedrespondedtoanyexternaldns requestandactedasopenresolvers. Figure'2.'Victims'are'spread'globally,'likely'in'proportion'to'quantities'of'vulnerable'devices' supplied'by'isps' Inourtests,theSOHOpharmingDNSserversappearedtoforwardourDNSrequestsonto legitimateauthoritativeservers.attemptstologintolocalbankingwebsitesinaffected countries,andtodownloadsoftwareupdatesfromadobeandothersallappearedto functionnormally,thoughmanyrequestsresolvednoticeablyslowlyorfailedtocomplete. WebsiteswetestedalsoappearedtodisplaynormaladvertisingusingtheseDNSservers. 4 http://rootatnasro.wordpress.com/2014/01/11/how-i-saved-your-a-from-the-zynos-rom-0-attack-full-disclosure Page 7of 14www.team-cymru.com

OuranalysisdidreveallinksbetweenthetwoSOHOpharmingDNSserversandvarietyof othersuspiciousdevices.whilethismaysimplyresultfrommalware-relateddnsactivity onvictimhostcomputers,orquestionablebrowsingactivitiesbyusersbehindvictimsoho devices,wecontinuetoinvestigatethebehaviorof5.45.75.11and5.45.75.36.wehavealso informedlawenforcementaboutthecompromisedroutersbeingsettousetheseservers andreachedouttotheproviderinvolved,thoughnoresponsehasbeenreceivedthusfar. Figure'3.'A'sample'of'compromised'routers'linked'to'the'malicious'DNS'servers' mbank:'malicious'dns'redirection'coupled'with'social'engineering'attacks'' WhatkindsofattacksarepossibleonceaSOHOdevice sdnssettingshavebeenchanged? TheresearchersatNiebezpiecznik.plandCERTPolandrecentlyexposedahighlytargeted attack,usingdnsserversat: 95.211.241.94 95.211.205.5 Page 8of 14www.team-cymru.com

Inthiscase,themaliciousDNSserverswereusedinasophisticatedtwo-stageattack againstcustomersofthepolishmbankandotherpolishretailbanks. 5TheCirststage involvedusingdnsredirectiontostealcredentialstoindividualaccounts.theattackers thenusedthesetologintovictimaccountsandusedsocially-engineeredsmsmessagesto thevictimtoinducethevictimtounknowinglyapproveatransferoffundsintothe attacker saccount. BetweenDecember2013andFebruary2014,weobservedapproximately80compromised routers.overhalfthevictimswereinpolandandmostothersinrussia,withsmall numbersinbelgium,china,italy,theuk,andtheu.s.whilewebelievetheactualnumberof compromisedroutersisverylikelyhigher,thesenumbersonlyreclectthedeviceswe identiciedascompromised. Figure'4.'The'DNS'servers'used'in'the'mBank'fraud'had'a'small'number'of'victims,' concentrated'in'poland'and'russia.' Same'Techniques,'Different'Tradecraft' WhiletheseattacksbothalteredtheDNSserverIPaddressesusedbyvictimrouters,subtle differencesinthetradecraftemployedmakesitlikelythatweareobservingeitherseparate campaignsbythesamegroup,ormultipleactorsutilizingthesametechniquefordifferent purposes. http://niebezpiecznik.pl/post/stracil-16-000-pln-bo-mial-dziurawy-router-prawie-12-miliona-polakow-moze-byc- 5 podatnych-na-ten-atak/ Page 9of 14www.team-cymru.com

InthecaseoftheattacksagainstPolishbankingcustomers,theattackerswhoused maliciousdnsservers95.211.241.94and95.211.205.5appearedtotargetasmallpoolof usersinamoreconcentratedgeographicareaandspecicicallyfocusonconnectionsto Polishbankingwebsites.ResearchbyCERTPolandshowedthatcustomersofCivePolish retailbankswerelikelytargeted. 6 TheseattackersappearedtohaveconCiguredtheirmaliciousDNSserverstopassnonbankingDNSrequestssolelytoOpenDNS sserversforlegitimateresolution. Incontrast,theattackerssettingdevicestotheIPs5.45.75.11and5.45.75.36had compromisedaverylargepoolofdevices,andcontrolledlargeblocksofdeviceswithin specicicisps,wherethehomogeneityofsohoroutermodels,concigurations,andcirmware versionslikelyallowedtheattacktoscaleeasily.thescaleofthisattacksuggestsamore traditionalcriminalintent,suchassearchresultredirection,replacingadvertisements,or installingdrive-bydownloads;allactivitiesthatneedtobedoneonalargescalefor procitability.themoremanually-intensivebankaccounttransfersseeninpolandwouldbe difciculttoconductagainstsuchalargeandgeographically-disparatevictimgroup. The5.45.75.11and5.45.75.36serversalsobehaveddifferentlyinthewaytheyresolved DNSqueries.WhilethemaliciousserversusedinthePolishbankingattackfunneledtrafCic toopendnsforresolution,theseserverssentrequestsouttotheauthoritativeserversfor thedomainsqueriedandthuscommunicatedwithafarlargernumberofnameservers. Atleastoneinstancehasbeenreportedwherecrossoveroccurredbetweenthesetwo groupsofipaddresses,withonedevicelistingprimaryandsecondaryresolversas 95.211.156.101and5.45.75.11,andsomehavesuggestedthatthisindicatestheworkofa singleactor. 7Wewereunabletodeterminewhetherthiswasactualevidenceofoverlap betweendifferentcampaigns,whetheroneactorisbehindallciveips,orwhetherone campaignmayhaveaddedanewdnsiptoarouterpreviouslycompromisedbyanother campaign.however,giventhedifferencesoutlinedabove,webelievethattheseareseparate campaigns. UnlikeearlierDNS-changingSOHOcampaigns,theattacksweobservedchangedboth primaryandsecondarydnsaddressestothe5.45.75.11and5.45.75.36addresses mentionedearlier. 8ThisrisksalossofservicetoISPcustomersshouldthisDNS infrastructurebeshutdowninthefuture.duringouranalysiswealsoidenticiedthatthese DNSserversonlyrespondedintermittently,likelycausingproblemstoaffectedusers. 6 http://www.cert.pl/news/8019/ 7 Seehttp://security.stackexchange.com/questions/46966/dsl-modem-compromised,hxxp://in.answers.yahoo.com/ question/index?qid=20140117064445aajri7v, and hxxp://sokosensei.wordpress.com/2014/02/06/massive-attack-onpolish-wi-fi-routers-pharming/#more-732 http://www.jakoblell.com/blog/2013/10/30/real-world-csrf-attack-hijacks-dns-server-configuration-of-tp-link- 8 routers-2/ Page 10of 14www.team-cymru.com

How'is'it'Done?' BecauseoftheubiquityoffactorydefaultsettingsonSOHOdevices,somearevulnerableto simplepasswordguessing.weobservedmanyofthedevicescommunicatingwiththe suspiciousdnsservershadgraphicaluserinterfacesthatwasaccessiblefromtheinternet, andthusvulnerabletosimplebruteforcelog-onattempts.aconsiderablenumberofthe remotelyaccessibledevicesalsoappearedvulnerabletothe ROM-0 vulnerability publishedinearlyjanuary. 9ThisvulnerabilityinZyXEL szynosallowsattackersto downloadtherouter sconcigurationcilefromtheunauthenticatedguiurlhttp://[ip address]/rom-0.whiletheresultingrom-0cilestillhastobedecompressed,thisprocessis trivialwithavailabletools,andautomatedattackscriptsareavailableonlinewhich explicitlycallouttheabilitytochangednssettings. 10 InthecaseoftheTP-Linkdeviceswestartedwith,thesewerenotusingdefaultpasswords, andwhilesomemodelswererunningavulnerableversionofzynos,somevictimswere likelycompromisedbeforetherom-0techniquewaspublished.itiscertainlypossiblethat morethanonepartycouldhavediscoveredtherom-0technique,andwasexploitingthis vulnerabilitybeforeitbecamepublic.anotherpossibilityisthatthesedeviceswere compromisedusingapubliclyknowncross-siterequestforgery(csrf)technique. 11 This techniquewouldenableattackerstoinjectanullpasswordinthedevice swebinterface.in ourexamples,itworkedagainstcirmwareversion3.0.0build120531forthetp-link TD-8840t,oneofourinitialvictimsystems. URLused:http://192.168.1.1/Forms/tools_admin_1 ACSRFattackpublishedonthe30 th ofoctober2013appearedtoleveragestoredtp-link routerlogincredentialsinthebrowsertochangeroutersdnssettings. 12Devices vulnerabletothistechniqueincludedtp-linkwr1043nd,tl-mr3020,andtl-wdr3600. TheTP-LINKCSRFURLreportedinOctober2013showedtheinsertionofnewDNSIPs: http://admin:admin@192.168.1.1/userrpm/landhcpserverrpm.htm? dhcpserver=1&ip1=$localip_start_range&ip2= $LOCALIP_END_RANGE&Lease=120&gateway=0.0.0.0&domain=&dnsserver= $DNSIP&dnsserver2=$DNSIP2&Save= PreviousSOHOmodelshavebeenvulnerabletoCSRFtechniquesthatallowedwireless WPA/WPA2passwordstobechanged,alongwithothermaliciouschanges.Webelievethat acombinationofthesetechniqueswouldallowanattackertogaincontrolofthedeviceand changethednsconcigurationremotely. 9 http://rootatnasro.wordpress.com/2014/01/11/how-i-saved-your-a-from-the-zynos-rom-0-attack-full-disclosure 10https://github.com/MrNasro/zynos-attacker 11 See http://www.exploit-db.com/exploits/29924/ and http://cxsecurity.com/issue/wlb-2012100027 <img src="http://192.168.1.1/forms/tools_admin_1"/> 12 http://www.jakoblell.com/blog/2013/10/30/real-world-csrf-attack-hijacks-dns-server-configuration-of-tp-linkrouters-2/ Page 11of 14www.team-cymru.com

Mitigation'Strategies Organizationsconcernedthattheircustomersandexternalpartnerscouldbevictimsof thistypeofattackshouldurgethemtoreviewtheirlocalroutersettingsandsecurity policiesandcontacttheirupstreamserviceproviderforassistanceifnecessary.soho devicesshouldhaveremoteuser-modeadministrationfeaturesandguisdisabledor,ata minimum,restrictedthroughaclstoonlythoseipsrequiredforregularadministration. ManagementinterfacesopentotheInternetcreateaneasilydetectableandexploitable vulnerabilityandshouldbedisabledimmediatelyiffound. CommandlineconCigurationofdevices,wherepossible,ispreferredtowebGUIinterface methods,asmanyofthevulnerabilitiesreportedinvolvecsrfattacksagainstuserslogged intotheconcigurationgui.administratorsshouldalsoensuredevicecirmwareiskeptupto date. Forlargercorporatenetworks,securityprofessionalscouldalsodeployHTMLcodetotheir externallyfacingserverstoattempttodetectremoteusers DNSsettings,andpotentially blockuserswithcompromiseddnssettings,byusingahtmltagwithauniquehostname thatlinksvisitors DNSrequeststotheirpagevisits.Notethatthiscouldaddunwanted overheadforlargeorganizations. Intheexampleabove,theuser sbrowserisforcedtodoadnsqueryforaunique hostname,linkingthednsservertoauniquehostnamelookup.theclientdoesahttpget requestonthis unique_string_detectdns.corporate-domain hostnameandcanthenbe identiciedasusingmaliciousdnssettings.thistypeofdnsdetectiondoeshaveits limitationshowever,asitdoesnotworkwhenmaliciousdnsserversforwardtherequests tothird-partyserviceslikeopendns. Internaltocorporatenetworks,thesecompromisesareagoodreminderthatDNScanbe abusedformalwarecommandandcontrolanddataexciltrationaswellastheman-in-themiddletechniquesobservedhere.dnssettingsshouldbecorporatelycontrolledand potentiallysetatthehostlevelaspartofasecure,baselineconciguration.individualusers shouldnothavetheprivilegestochoosetheirowndnssettings. Finally,werecommendseverelyrestrictingormonitoringthedeploymentofSOHOWi-Fi devicesoncorporatenetworks,andsecurityauditsshouldincludeeffortstocindand removeunauthorizedwi-fiaccesspoints,aswellasscanningcorporatenetworksfor devicesrunningsohoserviceslikehomenetworkadministrationprotocol(hnap). 13 Forendusers,orthosewhouseaSOHOdeviceastheirlocalDNSserver,wesuggest reviewingthednssettingsoflocaldevices,andcheckingthattheipaddresseslisted belongstoyourisp snameservers.whilenotaffectedbythisattack,areviewofhost computerdnssettingsisalsorecommended.wheninquestion,dnssettingscanalwaysbe settousegoogle snameservers(8.8.8.8and8.8.4.4)orthoseofopendns(208.67.222.222 and208.67.220.220) Page of www.team-cymru.com 12 14 http://www.tenable.com/blog/hnap-protocol-vulnerabilities-pushing-the-easy-button 13

Conclusion BycompromisingoneSOHOrouter,anattackercanredirecttrafCicforeverydeviceinthat network.asthecompromiseofmbankuseraccountsdemonstrates,securitydoesnotstop atthehostlevel,butextendstoalldevicesinthenetwork.asembeddedsystemsbeginto proliferateinbothcorporateandconsumernetworks,greaterattentionneedstobegiven towhatvulnerabilitiesthesedevicesintroduce.securityforthesedevicesistypicallya secondaryconcerntocostandusabilityandhastraditionallybeenoverlookedbyboth manufacturersandconsumers.aswesawinthe2012discoveryof4millioncompromised BrazilianSOHOdevices,thisisparticularlyproblematicwhenoutdatedhardwareisleftin placeorlacksongoingsupportorcirmwareupdates. 14 WiththereleaseoftheexploitcodefortheMoonwormavailableonline,andthemBank campaigngainingmoreattentioneveryday,weexpecttoseemoreandmoremalicious activitytargetingsohodevicesandotherembeddedsystems.whiletodatetheattackswe haveobservedhavebeenlimitedtochanginguser-accessiblesettings,moonshowsthatthe nextlikelystepwillbethedevelopmentoftoolstosubvertoroverwritedevicecirmware andgiveattackersbetterstealthandpersistenceonconsumerdevices. Ourresearchintothiscampaigndidnotuncovernew,unknownvulnerabilities. Indeed,someofthetechniquesandvulnerabilitiesweobservedhavebeenpublicfor welloverayear.however,westillreachedouttotheequipmentvendorsaffectedby thiscampaignfortheirfeedbackandadvice.wewillupdatethispaperwithany recommendationsandresponseswereceivefromthesevendors. WehavealsonotiCiedseverallawenforcementagenciesabouttheissuesdescribed inthispaper,andreachedouttotheownersofthe5.45.75.11and5.45.75.36ip addresses.ourcommunicationstotheownersofthesedevices,perhapsnot surprisingly,wentunanswered. Weareworkingtodevelopnewtechniquestodetectthesetypesofcampaignsinthewild, andwillcontinuetopopulatebothourno-costandcommercialtoolswiththisdata.for moreinformation,pleasevisit: TCConsole-Free:https://www.team-cymru.org/Services/TCConsole/ CSIRTAssistanceProgram-Free:https://www.team-cymru.org/Services/CAP/ ThreatIntelligenceFeeds:https://www.team-cymru.com/Services/Intel/ 14 http://www.securelist.com/en/blog/208193852/the_tale_of_one_thousand_and_one_dsl_modems Page 13of 14www.team-cymru.com

Notable SOHO Security Issues Sercomm)backdoor)affecting) multiple)vendors)revealed)by)eloi) Vanderbeken) ActionTec)routers)deployed)for) Verizon s)fios)service)found) vulnerable)to)cve>2013>0126) Code)published)for)ZynOS)ROM>0) exploit.) /DEV/TTYS0)publishes)D>Link) Joel s) Backdoor )user)agent)backdoor) Exploit)code)published)for)0>day) used)in)moon)worm.)sans)reports) that)moon)exploits)hnap)scanning) to)find)vulnerable)devices) 2013 Jan..Feb. Mar. Apr. May Jun. July Aug. Sept. Oct. Nov. Dec. Jan. Feb. Mar. Apr. Team)Cymru)uncovers)SOHO) Pharming)activity)with)over) Rapid7)reports)on)vulnerabilities)in) 300,000)active)victims)) Universal)Plug)and)Play)(UPnP))protocol) that)affects)millions)of)devices) 2014 Carna)botnet)/) Internet)Census)2012 ) reveals)extent)of)insecure)soho)devices) and)potential)for)abuse) CVE>2013>3098)CSRF)vulnerability) reported)to)affect)trendnet)routers)) CERT)Poland)reports)campaign) targeting)banking)customers) Page14of14www.team.cymru.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information