Mystery botnet hijacks broadband routers to offer DDoS-for-hire

Incapsula detects 40,000-node botnet exploiting poorly-configured Ubiquiti routers

A rival hacker group to the infamous Lizard Squad has been discovered quietly using a previously unknown global botnet of compromised broadband routers to carry out DDoS and Man-in-the-Middle (MitM) attacks.

The discovery was made by security firm Incapsula (recently acquired by Imperva), which first noticed attacks against a few dozen of its customers in December 2014 since when the firm estimates its size to exceed 40,000 IPs across 1,600 ISPs with at least 60 command and control (C2) nodes.

Almost all of the compromised routers appear to be unidentified ARM-based models from a single US vendor, Ubiquiti, which is sold across the world, including in the UK. Incapsula detected traffic from compromised devices in 109 countries, overwhelmingly in Thailand and router compromise hotspot, Brazil.

The compromise that allowed the Ubiquiti routers to be botted in the first place appears to be connected to one of two vulnerabilities. The first is simply that the devices have been left with their vendor username and password in its default state - perhaps a sign that some of these devices are older - allowing the attackers easy access.

The second and more unexpected flaw is that the routers also allow remote access to HTTP and SSH via default ports, a configuration issue which would be open sesame to attackers.

Once compromised, the attacks appear to have been used to inject a number of pieces of malware, mainly the Linux Spike Trojan, aka, 'MrBlack', used to configure DDoS attacks. The firm inspected 13,000 malware samples and found evidence of other DDoS tools, including Dorfloo and Mayday.

The C2s for these tools were found to be in several countries, with 73 percent in China and 21 percent in the US. This doesn't mean the attackers were based there, simply using infrastructure on hosts in those locations.

"Given how easy it is to hijack these devices, we expect to see them being exploited by additional perpetrators. Even as we conducted our research, the Incapsula security team documented numerous new malware types being addedeach compounding the threat posed by the existence of these botnet devices," said the firm's researchers.

The clustering of many of the compromised routers around specific ISPs points to an obvious issue of whose problem this is to fix. According to an Incapsula source Techworld spoke to, the router firm Ubiquiti believed the issue was that of the ISPs that almost certainly distributed these devices in their insecure state and they appear to have a point - for once this attack doesn't depend on a software flaw in the router itself.

The more intriguing issue is who might be using this botnet. According to Incapsula, it's not The Lizard Squad, even if the MO is very similar to that group's DDoS-for-hire service, Lizard Stresser. Oddly, however, the botnet's activity did appear to have flared up at the same time as the Lizard Squad which hints at some connection.

"If anything, they present us with several open questions about the possible evolution of Lizard Squad's botnet resources and the existence of copycats that are following in the groups' footsteps," said Incapsula.

Attacks on home routers have become common in the last three years, with motivations including DNS redirection as well as DDoS and eavesdropping. Usually, attackers exploit a flaw in the router firmware itself but attacks on default logins are an even simpler method.

Techworld and Tripwire recently published a Q&A guide to securing broadband routers.

Join the CSO newsletter!

Error: Please check your email address.

Tags Lizard SquadImpervasecurityilandSquadIncapsula

More about ARMC2ImpervaLinuxQSSHTripwire

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts