These dangerous routers: the most large-scale hacks of recent network equipment and ways to protect

Hacking home and corporate network equipment can result in losses of tens and hundreds of millions of US dollars. So, the Mirai botnet, which was originally distributed by infecting routers, caused damage to the global economy of hundreds of millions of US dollars .

It is likely that the manufacturers of network devices, realizing the problem, closed the “holes” and made their systems invulnerable to malware? In fact, not quite. Some separate holes were fixed, but large-scale hacks still happen. One striking example is the recent discovery of global vulnerabilities in Cisco routers.

What kind of problem was found?

In the middle of last month, a group of researchers from Red Ballon announced about the detection of several vulnerabilities in Cisco 1001-X routers. It is not known whether intruders used problems in protecting devices, but the holes do pose a serious danger.
')
One of the vulnerabilities is a bug in Cisco IOS that allows attackers to gain access to the routers in the series mentioned above. Close it is quite simple - you just need to update the firmware of the device (which, of course, not all companies do).

The second hole is much more dangerous and larger than the first. It affects the work of hundreds of millions of network devices of the company, not only routers, but also switches, firewalls and other equipment. Network security researchers have been able to bypass the protection system called Trust Anchor. This is a module for checking the integrity of the company's equipment, which was originally added to protect against fakes, and then it was transformed into a comprehensive system for checking the integrity of software of Cisco network devices. Currently, Trust Anchor is installed in any active company network devices.



As it turned out, the problem cannot be solved only by remote firmware upgrade, after the investigation was conducted, Cisco came to the conclusion that in most devices it can be secured only in the case of manual reprogramming. Perhaps the company will have to change the architecture of the "anchor", which will require time and money. All this time, the equipment remains vulnerable. True, Cisco said that the company does not have data on the large-scale exploitation of the vulnerability, so that urgent measures that will require significant resources will not be taken yet.

Not only Cisco

Not only Cisco routers are vulnerable, in fact, the problem is relevant for the network devices of the vast majority of manufacturers. But the most vulnerable, as far as can be judged, are the routers - they are most often used by developers of botnets.

Linksys Routers

Almost simultaneously with information about problems with Cisco routers, news about the vulnerability of thousands of Linksys smart routers appeared on the network. The hole in the protection of these devices allowed (and still allows) to gain remote unauthorized access to them.

Network scanning revealed 25,617 Linksys Smart Wi-Fi devices that are open to intruders. The latest available not only the MAC addresses of devices, but also data on the model, OS version, WAN settings, firmware version, settings, DDNS configuration.

Attackers can benefit from all this data as well as access to the routers themselves in order to form botnets from them. Vulnerable dozens of models of routers. Below is a list of problem models with a description of the vulnerability.



The company stated that it does not consider the vulnerability to be large-scale, therefore, the problem will not be solved in the near future. True, those devices for which automatic firmware update is activated for user participation and do not require. As soon as the patch is released, it will be automatically installed. But do not forget that about 50% of the systems have automatic updates disabled, so these gadgets will be “open” for external intervention for weeks, if not months.

Routers MikroTik



At the end of last year, it became known that unknown attackers had compromised thousands of MikroTik routers to create a botnet . Despite the fact that the vulnerability was discovered in April 2018, it remained relevant for a long time, since not all the owners of the routers began to install the firmware update.

Initially, the problem led to the fact that many thousands of routers were compromised. 240 thousand routers were attacked and turned into SOCKS 4 proxies, used by attackers for their needs. At the time of the end of last year, several hundred thousand routers worked on the network, and the vulnerability was not fixed. You may think that it is not fixed until now.

Compromised routers also work by redirecting network traffic, including FTP and e-mail. Network security researchers have also discovered data that is characteristic of remote control processes for network devices. Data packets are sent to the IP provider from Belize - it is not known, this is only a disguise, or the attackers are physically located in this region.

Anyway, if someone from cybercriminals of other groups of cybercriminals comes to mind to use the company's routers, for example, to form a botnet, this can be done without problems.

D-link routers

In the same period of time, the end of last year, cybersecurity experts discovered an active attack by attackers on Dlink routers. As it turned out, the firmware contained a vulnerability that allowed hacking routers without any problems in order to redirect connected users to websites or services prescribed by cybercriminals. The vulnerability was relevant for such device models as DLink DSL-2740R, DSL-2640B, DSL-2780B, DSL-2730B and DSL-526B.

The problem was solved by the fact that hackers covered access to the resources that they used to control routers. But most of the devices themselves remained compromised. An even greater number of routers contain an unclosed vulnerability in the firmware. Rather, the D-link company released a fix, but only a small fraction of the device owners installed it.

Huawei Routers



At the very end of 2017, there was a massive attack on the routers of the Chinese company Huawei . The attackers used the vulnerability CVE-2017-17215 to gain access to Huawei HG532 devices. As it turned out, this hole was actively used by the botnets Brickerbot and Satori. Information security specialists who discovered the problem reported it to the company. But, unfortunately, it is not known how quickly this hole was covered.

In the middle of 2018, in just one day, about 18,000 Huawei network devices were infected, of which the attacker formed a botnet . As it became known, cybercriminal took advantage of all the same vulnerability CVE-2017-17215, which was discussed above.

It may well be that, as in the previous cases, tens of thousands of devices that are affected by this vulnerability are still working on the network, which makes the HG532 line of routers open to external factors.

Zyxel routers

Yes, the problem touched our company. True, we tried as quickly as possible to fix it. The vulnerability, which was relevant, received the sequence number CVE-2019-9955. Not routers were exposed to it, but hardware firewalls.

Hotfix has already been released for all models, so if the equipment is not configured for automatic updating, you can manually download it here . The devices now being released are already fixed, so the previously discovered vulnerabilities are not relevant.

And now what?

The problem is that everything shown above is just the tip of the iceberg. Vulnerable much more models of routers from different manufacturers. Earlier, there were news about problems with Realtek, ASUS, Dasan GPON and other routers.

It is likely that while you are reading this article, your own router works in the interests of intruders - whether it works as an element of a botnet, or transmits personal information. Actually, most users of Habr are aware of this, because there are many vulnerabilities, and there is no time or opportunity to close them.

But you can still defend yourself, it is not so difficult. The methods are simple, and at the same time effective.

Software solutions

The easiest recipe that helps from the majority of malware that form a botnet is to restart the router right now. This is easy, and the effect will be if the infection has already occurred. True, it will not protect against new malware penetration.

In addition, be sure to change the default password and login. Even very advanced IT professionals are too lazy to do this. Many people know about the problem, but in this case, knowledge in itself means nothing, it must be applied

Do not remove the automatic firmware update mode - this can help in many cases. By the way, it is worth checking for a new firmware and manually, even if the automatic update is activated.

It does not hurt to disable those features that you do not use. For example, web access or remote control, plus Universal Plug-and-Play (this is not always a useful feature).

Hardware solutions

To protect all your smart devices from external interference, it is worth using specialized devices.



As an example, Bitdefender BOX 2. This device is able to protect tablets, laptops, smart light bulbs, TVs and everything else that connects to a wireless network from intruders. This is a wireless hub, which is a kind of cyber security service for your home or small office.



If the previous device for some reason does not fit, you should pay attention to BullGuard. The principle of its operation is almost the same, plus the device is able to track suspicious actions on the network and report them.



A more powerful protection is the Zyxel VPN2S, USG20 , VPN50 firewalls. They protect VPN channels that, for example, are used by a remote employee to connect to the infrastructure of the corporation in which he works. There is SPI protection, DDoS protection, functions are available that can be useful for private and corporate users.



Well, for business users, Zyxel offers devices like the ATP, USG, plus ZyWALL series gateways.

And what do you use to protect your home or office? Share in the comments, please, with a high degree of probability this information will be very useful for all readers of Habr who are concerned about the issue of information security.

Technical support for Zyxel corporate and home equipment in our telegram chat . Company news, announcements of new products and various announcements in the telegram channel .