Skip to content

Hackers hijack 300,000-plus wireless routers, make malicious changes – Team Cymru – Ars Technica


Researchers said they have uncovered yet another mass compromise of home and small-office wireless routers, this one being used to make malicious configuration changes to more than 300,000 devices made by D-Link, Micronet, Tenda, TP-Link, and others.

The hackers appear to be using a variety of techniques to commandeer the devices and make changes to the domain name system (DNS) servers used to translate human-friendly domain names into the IP addresses computers use to locate their Web servers, according to a report published Monday by researchers from security firm Team Cymru. Likely hacks include a recently disclosed cross-site request forgery (CSRF) that allows attackers to inject a blank password into the Web interface of TP-Link routers. Other attack techniques may include one that allows wireless WPA/WPA2 passwords and other settings to be remotely changed.

So far, the attacks have hijacked more than 300,000 servers in a wide range of countries, including Vietnam, India, Italy, Thailand, and Colombia. Each compromise has the potential to redirect virtually all connected end users to malicious websites that attempt to steal banking passwords or push booby-trapped software, the Team Cymru researchers warned. The campaign comes weeks after researchers from several unrelated organizations uncovered separate ongoing mass hacks of other routers, including a worm that hit thousands of Linksys routers and the exploit of a critical flaw in Asus routers that exposes the contents of hard drives connected by USB.

Yet another recently discovered campaign targeting online bank customers in Poland worked in part by modifying home routers’ DNS settings. In turn, the phony domain name resolvers listed in the router settings redirected victims’ computers, tablets, and smartphones to fraudulent websites masquerading as an authentic bank service. The malicious sites would then steal the victims’ login credentials. The router “pharming” attack reported by Team Cymru appears to be part of a distinct campaign given its much larger size, geographic diversity, and the fact that so far there are no indications that DNS lookups for banking sites are affected.

“The scale of this attack suggests a more traditional criminal intent, such as search result redirection, replacing advertisements, or installing drive-by downloads; all activities that need to be done on a large scale for profitability,” Monday’s report stated. “The more manually intensive bank account transfers seen in Poland would be difficult to conduct against such a large and geographically-disparate victim group.”

Have I been hacked?

The telltale sign a router has been compromised is DNS settings that have been changed to and Team Cymru researchers contacted the provider that hosts those two IP addresses but have yet to receive a response. The researchers also privately contacted representatives of all manufactures of routers being successfully hacked in this latest campaign.

Monday’s report is the latest to underscore the growing real-world attacks that target weaknesses in routers, modems, and other devices running embedded software. Once the domain of computers running Microsoft operating systems, these hacks in some cases exploit software bugs in the underlying code. In other cases, they seize on the use of default passwords or other errors made by the people using the targeted devices.

“As embedded systems begin to proliferate in both corporate and consumer networks, greater attention needs to be given to what vulnerabilities these devices introduce,” the Team Cymru researchers wrote. “Security for these devices is typically a secondary concern to cost and usability and has traditionally been overlooked by both manufacturers and consumers.”

Team Cymru


Dear Asus router user: You’ve been pwned, thanks to easily exploited flaw – Ars Technica

Check if your IP has been hacked

NSA Surveillance starts with your router


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: