Attack campaign compromises 300,000 home routers, alters DNS settings

Attackers have used a variety of techniques to exploit known vulnerabilities in router models from different manufacturers

A group of attackers managed to compromise 300,000 home and small-office wireless routers, altering their settings to use rogue DNS servers, according to Internet security research organization Team Cymru.

In January, Team Cymru's researchers identified two TP-Link wireless routers whose settings were altered to send DNS (Domain Name System) requests to two particular IP addresses: and An analysis of the rogue DNS servers running at those IP addresses revealed a mass-scale compromise of consumer networking devices.

Over a one-week period, more than 300,000 unique IP addresses sent DNS requests to the two servers, the Team Cymru researchers said in a report released Monday. Many of those IP addresses corresponded to a range of routers, including models from D-Link, Micronet, Tenda, TP-Link and other manufacturers, that had their DNS settings maliciously altered, they said.

The researchers believe those devices were compromised using different techniques that exploit several known vulnerabilities. Many of the affected devices had their administrative interfaces accessible from the Internet, making them susceptible to brute-force password-guessing attacks or unauthorized access using default credentials, if their owners didn't change them, the researchers said.

A considerable number of devices also appeared to be vulnerable to a security flaw reported in January in ZynOS, a router firmware created by ZyXEL Communications that's also used on router models from other manufacturers. That vulnerability allows attackers to remotely download a file containing the configuration of vulnerable routers without authentication and parse it to extract the password for the router's administrative interface.

According to the Team Cymru researchers, it's also likely that attackers used cross-site request forgery (CSRF) to exploit vulnerabilities in TP-Link routers that have been known since last year.

CSRF attacks involve placing malicious code on a website to force visitors' browsers to send specially crafted requests to a third-party URL. If the users are authenticated on the third-party site and the site has no CSRF protection, the malicious requests can abuse the users' access on that site to perform unauthorized actions. This type of attack is also known as session riding.

Attackers can use CSRF techniques to attack routers when their administration interfaces are only accessible from the local area network by proxying requests through their owners' browsers and leveraging their authenticated sessions.

The Team Cymru researchers noted two vulnerabilities reported in various TP-Link router models last year that are known to have been targeted through CSRF attacks. One allows attackers to replace the administrator password with a blank one and the other allows changing the router's DNS settings, even if the rogue request contains bogus credentials.

The first vulnerability was tested successfully against a TP-Link TD-8840T router running firmware version 3.0.0 build 120531 that was one of the first victim devices identified in the attack campaign, the researchers said. The second vulnerability reportedly affects TP-Link WR1043ND, TL-MR3020 and TL-WDR3600 running various firmware versions, but other models might also be affected.

TP-Link has released firmware patches for some of the affected models, but users rarely update their home routers and other networking devices.

The mass compromise identified by Team Cymru bears some resemblance to another attack campaign reported in early February that altered the DNS settings of home routers in Poland to intercept online banking sessions. That attack is also believed to have exploited the ZynOS vulnerability, but Team Cymru believes it's separate from the larger attack campaign they identified.

In the Polish attack, hackers used different rogue DNS servers, targeted a small pool of users in a more concentrated geographic area and specifically focused on intercepting connections to Polish banking sites.

"In contrast, the attackers setting devices to the IPs and had compromised a very large pool of devices, and controlled large blocks of devices within specific ISPs, where the homogeneity of SOHO [small office/home office] router models, configurations and firmware versions likely allowed the attack to scale easily," the Team Cymru researchers said.

The majority of routers compromised in the attack campaign identified by Team Cymru were located in Vietnam (around 160,000 IP addresses), but overall the campaign had a global distribution. Aside from Vietnam, the top 10 countries by victim count were India, Italy, Thailand, Colombia, Bosnia and Herzegovina, Turkey, Ukraine, Serbia and Ecuador. The U.S. was 11th.

"The scale of this attack suggests a more traditional criminal intent, such as search result redirection, replacing advertisements, or installing drive-by downloads; all activities that need to be done on a large scale for profitability," the researchers said. "The more manually intensive bank account transfers seen in Poland would be difficult to conduct against such a large and geographically-disparate victim group."

The researchers also observed that the two DNS servers used by the attackers responded intermittently to requests, meaning that victims likely experienced Internet connection issues. DNS is a critical service that's used to translate domain names into numerical IP addresses. Without this functionality a computer would not be able to access any website using its domain name.

By controlling DNS resolution attackers can transparently redirect users to servers under their control when those users try to access legitimate websites and this enables a variety of attacks from traffic snooping to hijacking search queries and injecting exploits, advertisements, and other rogue content into traffic.

This newly reported mass compromise is the latest in a series of large-scale attacks against home routers that have been uncovered recently. Aside from the online banking attacks in Poland, security researchers also discovered a worm infecting Linksys routers. Recent vulnerabilities in ASUS routers also left thousands of USB-attached hard drives exposed to remote access from the Internet.

"Our research indicates that threats to routers will continue to increase as malicious actors recognize how much information can be gained by attacking these devices," said Craig Young, a security researcher at Tripwire, via email.

Tripwire's research team found security vulnerabilities in 80 percent of the top 25 best-selling SOHO wireless router models available on, according to Young.

"Of these vulnerable models, 34 percent have publicly documented exploits that make it relatively simple for attackers to craft either highly targeted attacks or general attacks targeting every vulnerable system they can find," the researcher said.

Both Young and the Team Cymru researchers advise users to disable remote management over the Internet on their routers and to keep their firmware up to date. If remote administration is absolutely necessary, steps should be taken to restrict remote access to only particular IP addresses. Other recommendations include: changing the default passwords, not using the default IP address ranges for a LAN, logging out every time after accessing the router interface, checking the router's DNS settings frequently to ensure they haven't been modified, and using SSL (Secure Sockets Layer) to access the router's Web interface if the option is available.

Join the CSO newsletter!

Error: Please check your email address.

Tags patchesLinksysonline safetyNetworkingTripwireroutersExploits / vulnerabilitiesprivacyTeam Cymrunetworking hardwareintrusionsecurityasusspywareD-LinkTP-Link

More about Amazon.comAmazon Web ServicesASUSASUSASUSD-Link AustraliaLANLinksysMicronetTendaTP-LinkTripwireZyXEL

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place