Hardware is now a top-tier threat vector for cybercriminals. Internet of Things (IoT) devices are leading the charge, since many lack basic security protections but have almost unlimited access to network resources.
As noted by Bleeping Computer, however, malware attacks using a new strain called RouteX are targeting common hardware used by enterprises: routers. Specifically, Netgear routers running older or unpatched firmware. The result? Hijacked proxies are used to leverage leaked data.
Malware En Route
Potentially the work of a Russian threat actor nicknamed Links, the RouteX malware leverages a flaw identified as CVE-2016-10176, which impacts the web server included with Netgear WNR routers — this server powers the onboard administrative interface. According to Bleeping Computer, “The vulnerability allows unauthenticated attackers to perform sensitive, admin-level actions.”
Once a device has been infected, fraudsters install a SOCKS proxy, then add Linux firewall rules that prevent anyone else from exploiting the same flaw, along with restricting the router to a specific set of IP addresses.
Why? Because the routers are being used for credential stuffing attacks, which occur when cybercriminals take username/password data from publicly leaked breaches and attempt to breach multiple online services. By using proxies on compromised routers, attackers can cycle through new sets of IPs and avoid bans from brute-force detection systems, which cut off rapid-fire access attempts.
And by creating a large pool of infected routers, attacking multiple online services and shifting IP addresses, it’s possible for malicious actors to quickly discard nonworking data, even as they breach personal accounts.
Patching to the latest version of Netgear firmware should solve the problem, but with so many routers on the market, it’s difficult for researchers to estimate the total size of infection — although it’s telling that most of the credential-stuffing targets are Fortune 500 companies, and some have already sent cease-and-desist letters to companies unknowingly compromised by these new malware attacks.
Firm Fixes for Malware Attacks?
This isn’t the first time router vulnerabilities have been the target of cybercriminal interest, but the intended resolution hasn’t always gone as planned. Consider the recent flaws discovered in D-Link routers: After communication with the developer yielded no actionable results, security firm Embedi and researcher Pierre Kim published details of the flaws in an effort to have them resolved.
And as noted by ZDNet, five flaws found in popular routers used by AT&T customers are easy to exploit, allowing attackers to bypass existing firewalls and then alter network setup functions, change Wi-Fi usernames and passwords and even reroute internet traffic.
Here’s the takeaway: Despite increasing risk from IoT devices, routers remain a popular avenue for compromise because they’re mass-produced, widely used and often include stock security permissions that can be overwhelmed, evaded or simply ignored if threat actors want to gain access.
Best-case scenario? Users temporarily lose access to Wi-Fi or wired connections, discover the problem, clean their system and install the latest firmware fix. Worst case? Total hijacking — network traffic sent to malicious websites or routers used as stealth proxies to carry out credential spoofing attacks on major corporations.
Routers are risky business. It’s not enough to assume solid security because routers haven’t yet been breached, or they seem like low-value targets. Instead, admins need to regularly install firmware updates and keep an eye out for router redirects or resource calls that aren’t in line with typical use.