Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Mass-Scale Abuse of poorly configured SOHO Routers

Several dozen Imperva Incapsula customers were targeted by a DDoS botnet comprised of tens of thousands of hijacked SOHO routers. Security experts at Incapsula firm spotted a DDoS botnet composed of tens of thousands of malware-infected Small Office / Home Office SOHO routers engaged in application layer HTTP flood attacks. The SOHO routers were infected with a strain […]

Mass-Scale Abuse of poorly configured SOHO Routers

Several dozen Imperva Incapsula customers were targeted by a DDoS botnet comprised of tens of thousands of hijacked SOHO routers.

Security experts at Incapsula firm spotted a DDoS botnet composed of tens of thousands of malware-infected Small Office / Home Office SOHO routers engaged in application layer HTTP flood attacks.

The SOHO routers were infected with a strain of the Spike Linux Trojan (Trojan.Linux.Spike.A) and MrBlack, which is a Linux agent spotted for the first time by researchers at Dr.Web in May 2014.

The attackers leveraged remotely accessibility to the SOHO routers via HTTP and SSH on their default ports in order to compromise the network devices. As explained in the report published by Incapsula, the SOHO routers were poorly configured, attackers used default credentials (e.g. admin/admin) in order to access them and injected the malicious code. The malware was also able to propagate itself by scanning the network in order to locate and infect other routers.

According to the researchers, the hijacked SOHO routers  are ARM-based devices from wireless networking product manufacturer Ubiquiti Networks.

The experts at Incapsula analyzed a total of 13,000 malware samples found on the infected SOHO routers, on average each device were infected by at least four variants of the Spike malware and also by other DDoS malware, such as BillGates, Dofloo and Mayday.

The firm discovered a series of attacks against its customers in late December 2014, in a 121-day period the researchers tracked the malicious architecture used by cyber criminals.

The IPs of 60 command and control (C&C) servers were identified and the researchers recorded malicious traffic originated from more than 40,000 IP addresses belonging to nearly 1,600 ISPs worldwide across 109 countries.

It is interesting to note that more than 85 percent of the infected SOHO routers are located in Thailand and Brazil.

“More than 85 percent of all compromised routers are located in Thailand and Brazil, while the majority of the C2s are located in the US (21%) and China (73%). Overall, we’ve documented attack traffic from 109 countries around the world.” states the report.

SOHO routers botnet

Who operated the botnet?

According to Incapsula, the compromised SOHO routers are being exploited by several threat actors, including the popular Anonymous collective.

Incapsula speculated that hundreds of thousands or even millions of SOHO routers have been compromised due to a poor configuration.

Pierluigi Paganini

(Security Affairs –  Soho Routers, hacking)