Compromised Website Used In Attack On SoHo Routers

The folks over at the web security shop Sucuri have an interesting post today that warns of a web-based attack launched from the site of a popular Brazilian newspaper that is targeting home broadband routers.

According to Sucuri, researchers investigating a breach at the web site politica . estadao . com . br uncovered evidence that the hackers were using iframe attacks to try to change the DNS configuration on the victim’s DSL router, first by trying a brute force attack on the router’s default credentials.

Insecure broadband modems, home routers and other embedded devices may pose a serious security risk.
Insecure broadband modems, home routers and other embedded devices may pose a serious security risk.

According to Sucuri, the payload was trying to crack default accounts like admin, root, gvt and other common usernames and a variety of known-default router passwords.

Small office and home office (or SoHo) broadband routers are an increasingly common target for cyber criminals because many (most?) are loosely managed and often deployed with default administrator credentials.

link_scaled [Read Security Ledger coverage of home router hacks here.]

In March, the firm Team Cymru published a report describing a widespread compromise of SoHo wireless routers that was linked to a cyber criminal campaign targeting online banking customers. More than 300,000 SoHo devices in Asia and Europe were found to have had their DNS (domain name system) settings altered, meaning that requests to visit legitimate web sites were directed through servers controlled by the cyber criminals, instead.

Cyber criminals can find exposed home routers by scanning IP blocks belonging to large ISPs and dedicated to use by small businesses and home users. Once found, the devices can be compromised by defeating weak authentication features, or other known security holes.

For example, in January, the Polish security website warned of a remotely exploitable hole in firmware run on home routers by TP-Link, a popular brand in Poland. The vulnerability in the firmware allowed a remote attacker to download the backup configuration data from the device without first authenticating (or logging in) to the router. The file could be used to harvest the actual administrative credentials needed to take control of the TP-Link router.

And, in August, a contest at the DEF CON hacking conference in Las Vegas offered prizes for successful exploits of previously unknown (or “zero day”) vulnerabilities in SoHo router firmware.

Still, the use of a web-based drive-by-download attack to target home routers, Sucuri malware analyst Fioravante Souza writes. You can read more (including steps to protect your home or SoHo router) via Website Security – Compromised Website Used To Hack Home Routers | Sucuri Blog.